Doing all those mandatory 'security rituals' like audits can actually make a company more vulnerable by giving everyone a false sense of safety.
March 25, 2026
Original Paper
From Compliance to Complacency: Organizational Reinforcement of Cognitive Bias in Cyber-Security Governance
SSRN · 6191881
The Takeaway
We usually assume that more certifications and audits mean a safer company. This research found that because successful cyber-attacks are rare, these 'compliance rituals' become a substitute for actual learning, leading leaders to mistake paperwork for protection while the 'dark field' of undetected threats grows.
From the abstract
Organizations increasingly treat cyber-security as a strategic governance concern, yet systematic misjudgments of risk persist. This study examines how distorted risk perceptions emerge and stabilize in organizational decision-making when failures are rare and effective defense remains largely unobservable. Drawing on eight elite expert interviews with senior cyber-security professionals possessing cross-enterprise and cross-sector visibility into highseverity incidents in the DACH region, and u