Executives, like everyone else, use heuristic thinking to solve complicated problems. A heuristic is simply a logical shortcut, like an analogy or an analytic framework. “When we’re presented with a difficult question, we replace it with a question that’s easier to answer,” Blau explains.

While heuristics can help us attack common problems more efficiently, they don’t always yield accurate results. In cybersecurity, for example, executives often use military analogies to define their strategy, Blau says. Like medieval generals repelling a siege, they respond to external threats by reinforcing their castle walls. Such heuristics are seductive but misleading, because cybercriminals are constantly changing tactics to evade defenses and an organization’s assets are constantly evolving as well.

So-called status quo bias also hampers strategic thinking, says Blau. If leaders don’t know that they’ve been the victim of a data breach or that their system has a vulnerability, they might think their defenses are working fine. In reality, they might not have detected the bug or attacks that have already happened.