Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

The Psychology of Ransomware Response

The Psychology of Ransomware Response

The Psychology of Ransomware Response

The human response to cyber crises is not something that can be bought off a shelf and installed over the weekend. On average, it takes 96 days for a human to develop the knowledge, skills and judgment to defend against breaking threats – and that is too long during times of heightened threat.

Immersive Labs provides a platform designed to raise the cyber capabilities of a company’s entire workforce. “We’ve been operational since 2017,” the company told SecurityWeek, “and have collected a weighty amount of data – 2,100 organizations, 500,000 cybersecurity exercises at either our labs or via a crisis simulator looking at 1,500 separate threats or incidents, which could be anything from ransomware to SOC teams looking at specific malware.”

A Cyber Workforce Benchmark 2022 report (PDF) has analyzed the exercises and simulations. The results show that the technology and financial services sectors spend the most time on preparing the workforce for cyber incidents – with other critical infrastructure companies preparing the least.

But what really stands out from the report is that business has yet to learn how to handle ransomware. “Seven out of the top 10 least confidently answered crisis scenarios across the entire platform were focused on this threat,” says Immersive. To a large degree the problem centers on the fundamental question: to pay or not to pay? The predominant preference is to not pay. Eighty-three percent of organizations responding to the report’s questions chose not to pay. Despite this, 18% of government crisis response teams – who are usually ‘instructed’ to not pay – did so.

SecurityWeek spoke to Rebecca McKeown, director of human science at Immersive Labs, and a visiting lecturer in applied psychology at Cranfield university. We wanted to understand the human psychology involved in responding to ransomware and how companies can better prepare the workforce. McKeown has also spent 15 years working on a ministry of defense project looking at learning and development and thinking skills in difficult situations.

“I see a lot of overlap between what the military has done and what it’s like to work in a crisis situation inside cybersecurity,” she told SecurityWeek

She defines ransomware as a ‘wicked problem’. In psychology, this isn’t evil – it is a problem that is difficult or impossible to solve because of incomplete, contradictory, and changing requirements that are often difficult to recognize. Pressure and resistance to resolution are also characteristics – which quite accurately describes the immediate aftermath of being hit by ransomware. At this point, technology is of little or no help, it is a human response that is necessary. Ransomware is also a zero-sum game. The victim cannot win, so the solution is to lose as little as possible – but this must be achieved as quickly as possible while under intense pressure.

This is where human psychology becomes important. The mind is a limited capacity information processor. “It makes all sorts of assumptions and takes shortcuts based on previous experience,” explains McKeown. “Also, when we’re under a highly intense, high-pressure situation, the brain considers itself to be under attack, so it narrows down the focus of what we’re working on (we call it cognitive narrowing). It means we’re not getting all the information needed to make the difficult decisions under pressure.”

Ransomware is a whole company incident. Every department is impacted, and every department wants a say in its resolution. Panic is a frequent and unhelpful component – especially if the workforce has not been prepared on how to respond. 

“When you panic, explains McKeown, “there’s a small portion of the brain, called the amygdala, which triggers the release of adrenaline. Now, the brain has dual processing. Processor one is very emotional. It’s very quick, it’s based on intuition, previous experience and values. Processor two is the more rational, logical part of the brain. There is an interaction between the way these two parts process information, but the emotional kicks in milliseconds before the rational. In a panic situation when the adrenaline is flowing, it is all emotion-based and narrowly focused on past experiences. So, you probably won’t be taking in and understanding other information that can be used in problem solving and decision making.” Common panic is a serious threat to logical thinking.

The result, in a ransomware induced human response situation, is multiple voices calling for different reactions based not just on reality but different psychological pressures. This is not a good background for optimal decision-making and helps to explain why ransomware remains the most feared cyber crisis.

Immersive’s recommendation is that the workforce should be prepared for a ransomware situation through regular training, exercises and discussions in slow time before any incident and without the ensuing pressure. “By taking part in regular crisis exercises, all these disagreements can be resolved outside of the crisis, so arguments don’t happen at the time of crisis response – and everybody knows what to do and what is expected of them.”

This requires the new leadership style that welcomes and listens to diversity, rather than the old leadership style that simply says, ‘I’m in charge, and this is what we’ll do.’ “The new style leader,” says McKeown, “is aware of ‘wicked problems’ in cybersecurity. Leadership is moving more towards accepting the leader doesn’t have to have all the answers but must be willing to use the people-resources available.”

During the decision-testing phase of the exercise process, ‘counter factual thinking’ can be used. It says, OK, this is what we’ve decided; but what would happen if we did something different? What are those consequences? “By doing this on a regular basis,” she continued, “you start to build a pattern recognition of the underlying issues, and you also find you are building the relationships that can iron out conflicting opinions before a crisis happens.”

Diversity of thought is one of the ways of challenging decisions – it’s a decision-making tool. Immersive’s solution to the psychological mayhem of a ransomware crisis is to deliver short but frequent ransomware crisis exercises at the customers’ site using a crisis simulator to help develop a cohesive team able to handle the crisis with efficiency.

“The insights produced by this report underscore the need for large organizations to have visibility of the cyber capabilities of their workforce,” said James Hadley, CEO of Immersive Labs. “Without measuring the ability of technical and non-technical teams to mitigate risk, a critical part of resilience is missing. Gaps in cyber knowledge, skills and judgment can have the same impact as technical vulnerabilities.”

To this, we can add the insights provided by psychologist Rebecca McKeown.

Related: Immersive Labs Raises $40 Million for Cyber Skills Platform

Related: Cybersecurity Training Company Immersive Labs Raises $75 Million

Related: Security Awareness Training: It’s The Psychology, Stupid!

Related: Researcher Analyzes Psychology of Ransomware Splash Screens

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.