Name of concept
Fundamental attribution error
The fundamental attribution error suggests that people overestimate the influence of someone’s dispositions and personality in their behaviour, and underestimate the role, or even power, of the situation that people are in. This means that when people are confronted with unexpected behaviours from others, people tend to draw conclusions about what these people are like based on that behaviour, instead of assessing whether the specific situation they were in when they performed the behaviour might have played a role. For instance, when seeing a stranger at the train station who looks grumpy, people are more likely to assume that that is a grumpy person, rather than entertaining the idea that a late train might have caused this person to be grumpy only temporarily.
Application within the field of cybersecurity
The fundamental attribution error is a problem in cybersecurity in terms of perceptions of culpability. When an organisation becomes the victim of a cyberattack, people within the organisation, as well as the wider society, explains this in two ways: 1) the organisation must not have had its cybersecurity in order, otherwise this attack would not have happened, or 2) the end-user who caused the incident (e.g., by clicking on a phishing link) is so stupid, they caused this themselves. In addition, others usually look at these incidents thinking that they will not be as ‘stupid’ themselves. In reality, there are a multitude of environmental factors that play a role in cyberattacks. Some of these include bad luck, as a cybercriminal only needs one successful attack to gain access, while people defending the organisation and its systems need to be prepared for all eventualities. Others include the notion that end-users often have many responsibilities and might be under pressure to complete a deliverable before a tight deadline, resulting in less attention paid to warning signs of phishing emails. The fundamental attribution error can cause damage this way, as people might be seen as to blame for the insecure behaviour, rather than being met with empathy for the situation they found themselves in.
Download this page as a pdf-file:
Download slides about this topic that you can embed into your presentation / lecture: