EXPLORING IMPLICIT BIAS IN ENGINEERING SECURITY TOOL ADOPTION WITH TRAINING INSIGHTS FOR HR AND IT

Abstract

Engineering teams often do not choose to adopt new security tools for technical reasons; rather, they often choose not to because of implicit psychological biases that lead to cognitive distortions that affect assessments of risk and trust. This paper investigates the cognitive variables that affect engineers' trust and risk beliefs when adopting tools; these variables include overconfidence, ambiguity aversion, familiarity bias, biases toward the status quo, and perceived effort. Using psychometric models, such as TPMAP, we have noted that the confusion surrounding trust calibration, role beliefs, and unconscious processing produces persistent patterns of resistance that have not been considered in traditional models of technology adoption. Developers, DevOps, and Security Engineers exhibit different trust-risk profiles, dependent on individual cognitive propensities and social framing factors - namely, their organizational framing of their safety-critical role. Resistance to new tools, especially when tool adoption is framed as compliance mandates rather than aims of enabling one’s security capability, can elicit considerable emotional resistance - and reasonable moralizing, especially when the tools involve surveillance. In response to these challenges, we propose a common HR-IT training plan starting with onboarding biases, gradualisation (scenarios), and reinforcements using trust dashboards - to realign people's biases, reduce 'cognitive friction', and to foster psychologically intelligent security cultures. Our research calls for the exploration of cognitive load UI, emotional telemetry, and personalized training pathways. In this regard, we put forward that researchers should embrace a human-centered approach to technology adoption - rather than a technology-centered one.  This type of better consideration of the social implications and responsibilities of technology in the security domain has not received enough critical review.