What are heuristic rules?

To that end, heuristics help remove complexity by relying on past experience, intuition or “rules of thumb.” However, while such rules promote faster decisions, they sometimes cause errors or biases.

What are the key drivers of heuristic rules?

The drivers of heuristic rules are rooted in the need for speed, efficiency and cognitive simplicity.

These drivers include:

1. Limited information – heuristics are useful when a decision has to be made from new, diverse or incomplete data.
2. Time constraints – rules also provide a rapid way to process information and make decisions without analysis. For example, in the immediate aftermath of a cyberattack.
3. Cognitive load – the human brain can only handle a certain amount of information before decision-making ability is impaired. Heuristics help reduce the number of factors that need to be considered and reduce cognitive load.
4. Cognitive biases – these biases are systematic errors in thinking that occur when people process and interpret information in their environment. These biases also help reduce complexity.

Five heuristics that impact decision-making in finance

Here are five cognitive biases that apply in finance and cybersecurity with a few examples that clarify their use.

1 – Availability heuristic

The availability heuristic occurs when decisions are influenced by readily available information such as recent experiences or easily recalled events.

This heuristic can affect investment decisions, risk assessments and client recommendations.

But it can also be used in a phishing attack where fraudsters:

• Exploit recent events – such as a conference or data breach.
• Leverage high-profile news – tax deadlines and regulatory changes are two examples.
• Reference internal communication – for example, a company-wide memo to update passwords or software.

In each case, the fraudster attempts to add credibility to their scam by referencing recent, memorable or internal events.

2 – Anchoring heuristic

The anchoring heuristic occurs when individuals place too much importance on an initial piece of information (the anchor) and adjust from there.

In a business acquisition, the target company may set a high initial price which serves as the anchor. Even if data indicates that the company is worth less, buyers tend to base their offer near the anchor price and may overpay.

3 – Representativeness heuristic

The representativeness heuristic causes individuals to judge the probability of an event by how closely it resembles a stereotype or experience.

Investor behaviour is a classic example of this rule. An investment analyst could assume that because a tech company performed well in the past, similar companies will also outperform the market.

In the process, this mental shortcut overlooks other critical factors that could impact performance, such as market conditions, regulatory changes or the quality of the company’s management.

4 – Familiarity heuristic

The familiarity heuristic drives decisions based on what feels familiar or comfortable.

In a phishing attack, criminals exploit the tendency for employees to comply with the instructions of trusted colleagues, superiors or entities.

Familiar request formats (such as password resets or unpaid invoice notices) are also used to lower the defences of an employee and have them click on malicious links or reveal sensitive data.

5 – Scarcity heuristic

The scarcity heuristic causes individuals to perceive something as more valuable if it is rare or limited.

When a company holds an IPO, investors often make hasty decisions to buy shares based on a fear of missing out. Airbnb, for example, opened at $146 per share on the NASDAQ – a number that far exceeded its IPO price of $68.

How heuristic rules apply to cybersecurity

In cybersecurity, heuristic rules serve as quick, predefined checks that increase the efficiency of machine learning-based fraud prevention. As a consequence, they use fewer resources and minimise load on the system.

As in other contexts, however, the use of heuristic rules in this context is not without its trade-offs. Since the focus is on speed, factors such as precision and accuracy may be impacted.

Nevertheless, to understand how heuristics apply to cybersecurity, let’s look at a few different use cases.

Fraud prevention

In a detection system that prevents bonus abuse, for example, transactions are blocked based on previously identified data points such as user ID, email address and browser hashes.

Here’s an abbreviated description of how this process may work in practice:

1. An account is created by an individual to fraudulently claim a bonus of some kind. The individual has tried this in the past, but to conceal their behaviour, they used a different device and email address.
2. During the sign-up process, the fraudster uses the same IP address as the last attempt and the home address entered is almost identical to an address used previously.
3. The system then uses heuristics to consider whether data points in the current attempt were present in previous attempts. The system fills in the blanks, so to speak, and makes new inferences.
4. Based on its predictions, the risk tolerance threshold of the system is reached and the individual is subsequently blocked.

False positives are always a risk with heuristics-based fraud prevention. However, many companies prefer false positives (where transactions involving authentic users are blocked) to false negatives (where the opportunity to block fraudulent transactions is missed).

Virus detection

Heuristics are also used in most antivirus software to search for specific commands or instructions not typically found in applications.

Like fraud prevention, heuristics in virus detection use rule or weight-based systems to determine acceptable levels of risk. If rules exceed predetermined thresholds, alerts are triggered and pre-emptive action is taken.

Here are some techniques that antivirus software uses to detect known viruses and also identify new ones:

1. File emulation. Here, a file is executed in a controlled environment to see how it behaves. If the file attempts to modify system files or make unauthorised connections, then the system will likely identify it as a virus.
2. File analysis. This involves inspecting a file to determine its intent, purpose and destination. If a file’s purpose was to delete other files, for example, heuristic rules may identify it as malicious.
3. Genetic signature detection. The third technique involves identifying malware based on unique patterns or “signatures” in its code or behaviour. These signatures enable cybersecurity tools to detect not only new versions of malware but also variants or mutations that share core characteristics.

While these heuristic-based methods may also throw up the occasional false positive, they complement traditional solutions that compare suspect files to databases of previously discovered malware.

Phishing detection

Heuristics are also used to detect various forms of phishing and block or flag suspicious emails before they reach their intended recipient.

Rules examine specific email attributes such as:

• Unusual sender addresses – fraudulent emails often come from addresses with subtle anomalies. For example, “@applle.com” instead of “@apple.com”.
• Suspicious attachments – rules also pertain to unusual file types (such as .exe and .js) as well as any files compressed in a .zip or .rar format. Executable files disguised as PDF documents may also be flagged by heuristic detection systems.
• Inconsistent language – many phishing attempts contain poor grammar, awkward phrasing or specific keywords or phrases that tend to be associated with email phishing.
• Suspicious links – heuristic rules can also detect whether there is a mismatch between a link’s visible text and the URL to which it points.
• First-time contact – other rules compare the senders of all inbound emails with those who have previously contacted the recipient. Any email from a first-time sender may be flagged or considered high risk.

Summary:

• Heuristic rules are mental shortcuts or simple decision-making strategies that solve complex problems quickly and efficiently. These rules rely on approximations or common patterns to find an optimal solution without requiring exhaustive analysis.
• People are influenced by various heuristic rules or cognitive biases. These include the availability heuristic, anchoring heuristic and scarcity heuristic. Some help finance professionals make decisions in high-pressure or uncertain situations, while others exacerbate cybersecurity issues.
• Machine learning algorithms also use heuristic rules in fraud prevention, phishing detection and antivirus software. Rules increase detection efficiency because they screen out potential attacks based on known patterns of fraudulent behaviour.