Session Abstract: Why are so many organizations over-reliant on anti-virus while ignoring patching critical servers? Why do some enforce their generic awareness training while happily accepting flat, open networks and shared administrative passwords? Although there is a growing body of scientific research on how bias impacts our ability to accurately assess risk, bias factors remain largely absent from our risk assessment programs. This talk explores the various ways in which bias, cognitive heuristics, and influence affect our perception of risk and its impact on our decision-making as security professionals. Dozens of biases will be presented along with their impact on decision-making.Summary: This talk explores the various ways in which bias, cognitive heuristics, and influence affect our perception of risk and its impact on our decision-making as security professionals, reviewing dozens of biases and providing ways to identify and protect our decision-making.Additional Information: This talk provides engaging examples that facilitate insight into how we, as security professionals, assess risk. This will NOT be a talk where the speaker just reads a list of biases and blames the attendees for being biased. I believe that this talk is a great new way of viewing risk, fitting very nicely in to this year's theme "Reimagining Risk and Resilience"