There’s one cognitive bias that we humans are prone to, and it lies at the centre of some of the challenges that cybersecurity professionals face every day. It’s known as the normalcy bias – what Dr. Lauren Braithwaite defines as “our tendency to underestimate the possibility of disaster and believe that life will continue as normal, even in the face of significant threats or crises.” It's why people hesitate after fire alarms go off or delay reacting in other unfolding situations because things still appear manageable.

As this bias can lead us to mistake familiarity for safety and assumptions for evidence, it’s increasingly getting in the way of dealing with the cybersecurity reality. It causes people to underestimate the likelihood of a cyberattack or to interpret an absence of obvious problems or consequences as evidence that risks are under control. In practice, many organisations treat a lack of clear alerts from their chosen protection platform(s) as proof that everything is hunky-dory. Others fail to act quickly enough on warning signs because they assume that business will simply continue as usual.

Meanwhile, despite a steady drumbeat of news headlines on breaches at organisations like M&S, JLR, and Co-op (and most breaches never actually make it to the front pages), and advice from the cybersecurity industry and government organisations about how to avoid becoming the next victim, the number of major incidents continues to rise at an eye-watering rate.

The NCSC Annual Review 2025 reported 204 "nationally significant" cyberattacks in the 12 months to August 2025, a 130% increase from the 89 reported in the previous year. Of 429 total incidents, 18 were classified as "highly significant," marking a 50% increase in severe incidents. Breach rates remain stubbornly high, which may reflect a creeping normalisation of breach risk and be seen as normalcy bias at scale: the more common breach disclosures become, the less urgency each one may carry.

Lessons learnt?

There’s a phrase that is peddled out by governments and companies alike when a catastrophe of any type – including a cybersecurity breach – occurs: “Lessons have been learnt”.

But have they? The 130% increase in significant incidents between 2024 and 2025 severely challenges this assertion and points to lessons not being learnt, at a macro level. Seems like a big no!

Last year I wrote a blog post that may, in part, explain the psychological state after a breach. I argued that many companies are, in a sense, both breached and not breached, simultaneously, and I likened this situation to Schrödinger’s cat. Until you open the box by interrogating logs or actively searching for a compromise, the comfort of “we haven’t been breached” merely reflects the fact that no-one has actually checked. In fact, this reluctance to look could also be normalcy bias quietly doing its work.

“Lessons have been learnt” is the aftermath of opening the box, finding the cat to be (unfortunately) deceased, and then declaring: “we know what’s happened, we’ve got a handle on this, don’t worry”. This is narrative, not evidence of a meaningful change in approach.

By contrast, real learning is a proactive process that changes how organisations need to behave. This should be reflected in changes to budgets, policies, rules, recovery planning, supplier scrutiny, logging, monitoring, training, and the tolerance for error, to name just a few things. And all done before the inevitable breach takes place. It’s much more difficult to hit a moving target, after all.

So, if we can accept that normalcy bias is a common and human cognitive condition, we can progress towards avoiding complacency before a breach and minimise its impact. ‘To err is human’, but now we know what the failing is, we have an imperative to act upon that knowledge – and do things differently.

Endgame: what if we still don’t recognise this bias?

The criminal ‘auditors’ are banking on human error. After all, it’s why phishing is still one of the most prevalent ways that breaches occur.

There are two main ways in which the endgame plays out in cybersecurity.

Either we regularly audit ourselves – run penetration testing, red/blue/purple team and other attack simulation exercises, regularly re-evaluate the threat landscape, and invest in our security provision as part of our cyber resilience strategy.

Or we allow cybercriminals to do the ‘audit’ for us. They rely on a false sense of security (literally), and this is the chink in the armour they exploit.

Criminals ‘auditing’ you can be brutal, costly, devastating and, in many cases, terminal for organisations. That is why this metaphor matters – cybercriminals discover the gap between what an organisation believes about its security and what the reality is.

To put things into perspective, ESET’s threat intelligence processes 750,000 suspicious samples, analyses 2.5 billion URLs while blocking 500,000 of them – every day. Threat actors are relentless, and as their attacks become more and more sophisticated, we have to ditch any thought that we are impervious. We must accept that normalcy bias exists and act upon it.

In the face of a number of high-profile retail breaches in the UK, ESET conducted research with 2,000 consumers. The resulting report revealed, amongst other things, that 46% of shoppers said it would take them 5+ months to rebuild trust after a data breach. That’s an expensive audit! One needs to do the simple math to estimate the direct financial damage if that’s all the senior management are interested in. All on its own this should suffice despite the fact this is often the tip of a very painful iceberg.

The bottom line

An aspect of normalcy bias that I find most intriguing is that, despite the increased sophistication, speed, volume and variety of attack vectors we are all aware of, our approach to cyber resilience strategies often remains rooted in the past – even if it is relatively recent past. But time passes quickly in cybersecurity, and in the 4 or 5 minutes it’s taken you to read this article, ESET will have processed over 2,000 suspicious samples and scanned approx. 7 million URLs blocking approx.1,500 of them.

When asking why we should review cybersecurity services provision, are we accounting for all parameters that have changed (globally as well as locally) in the last few years and how it could affect our current security posture?

Right off the top of your head, you could probably name at least a few of these:

  • Rise of AI-enabled fraud and other threats.
  • The war in Ukraine.
  • Iran.
  • Increase in cost of cybercrime worldwide.
  • Deepfakes.
  • Increased social engineering attacks.
  • Persistence of phishing as the main attack vector.
  • Increased complexity of cybersecurity solutions and services.
  • Cyber skills gaps remaining worryingly wide.

There are many others, no doubt. And it’s no coincidence that the level of protection offered by vendors only a few short years ago is being phased out, and MDR/XDR/MXDR services and solutions are becoming the norm.

The criminal ‘auditors’ certainly haven’t sat back on their laurels in that time. Whilst the use of new tools, like AI, doesn’t necessarily mean better coding, it does enable them to scale attacks massively – and it allows them to scan for vulnerabilities at an unprecedented pace.

  • If you aren’t investing in auditing, testing, cyber awareness, and prevention technologies, you’re not saving money – you’re simply outsourcing assurance to the criminals.
  • The most engaged C-suite are with cybersecurity is immediately after a costly breach – after normalcy is shattered. Make them engage earlier.
  • Criminals work 24 hours a day, round the clock with agentic AI by their side. Are your solutions resilient enough to cope? Check.
  • Whatever the size of your organisation, you need to look at your cyber profile and resilience constantly.
  • Don’t mistake (incident) silence for safety – invest in 24/7 MDR/MXDR services.
  • Now you know about the ‘normalcy bias’ trap – avoid it.