Someone who is actively involved in, or is managing, an activity is patently not independent of it. They may well make a conscious, rational and determined effort to be objective, dispassionately reviewing evidence etc ., but their subconscious/emotional biases/prejudices and beliefs/value-systems will inevitably influence what they do. With the best will in the world, they will struggle to challenge and assess their past decisions and activities, especially if they were "certain" or "determined" or genuinely believed they were "doing the right thing". Furthermore, it is very hard for anyone to review the things they did not do, decisions they did not make or options they did not even consider. Mostly, they remain out of sight or out of the question.

Title: Cognitive Hack - The New Battleground in Cybersecurity... The Human Mind Author: James Bone Part of the Internal Audit  and IT Audit series edited by Dan Swanson Publisher: CRC Press/Auerbach (2017) ISBN: 978-1-4987-4981-7 Price: US $100 ( hardback ) US $53 ( paperback ) GH rating: 50% Summary The author's core thesis is that we are expecting IT users and managers to make rational, risk-averse decisions and take appropriate actions in response to complex threats. The 'cognitive load' is such that people are bound to make mistakes. Therefore we  should be simplifying things ( e.g. by automating cybersecurity controls), thereby reducing the number of choices and hence taxing decisions we're asking people to make.

According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to:  Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation; Examine them for any security control requirements relating to, say, I&A; Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator; Design, implement, use, manage and maintain those I&A controls; Have the I&A controls checked or audited to gain assurance that the compliance requirements are met.  OK so far? Sounds reasonab