The human response to cyber crises is not something that can be bought off a shelf and installed over the weekend. On average, it takes 96 days for a human to develop the knowledge, skills and judgment to defend against breaking threats – and that is too long during times of heightened threat.
Immersive Labs provides a platform designed to raise the cyber capabilities of a company’s entire workforce. “We’ve been operational since 2017,” the company told SecurityWeek, “and have collected a weighty amount of data – 2,100 organizations, 500,000 cybersecurity exercises at either our labs or via a crisis simulator looking at 1,500 separate threats or incidents, which could be anything from ransomware to SOC teams looking at specific malware.”
A Cyber Workforce Benchmark 2022 report (PDF) has analyzed the exercises and simulations. The results show that the technology and financial services sectors spend the most time on preparing the workforce for cyber incidents – with other critical infrastructure companies preparing the least.
But what really stands out from the report is that business has yet to learn how to handle ransomware. “Seven out of the top 10 least confidently answered crisis scenarios across the entire platform were focused on this threat,” says Immersive. To a large degree the problem centers on the fundamental question: to pay or not to pay? The predominant preference is to not pay. Eighty-three percent of organizations responding to the report’s questions chose not to pay. Despite this, 18% of government crisis response teams – who are usually ‘instructed’ to not pay – did so.
SecurityWeek spoke to Rebecca McKeown, director of human science at Immersive Labs, and a visiting lecturer in applied psychology at Cranfield university. We wanted to understand the human psychology involved in responding to ransomware and how companies can better prepare the workforce. McKeown has also spent 15 years working on a ministry of defense project looking at learning and development and thinking skills in difficult situations.
“I see a lot of overlap between what the military has done and what it’s like to work in a crisis situation inside cybersecurity,” she told SecurityWeek.
She defines ransomware as a ‘wicked problem’. In psychology, this isn’t evil – it is a problem that is difficult or impossible to solve because of incomplete, contradictory, and changing requirements that are often difficult to recognize. Pressure and resistance to resolution are also characteristics – which quite accurately describes the immediate aftermath of being hit by ransomware. At this point, technology is of little or no help, it is a human response that is necessary. Ransomware is also a zero-sum game. The victim cannot win, so the solution is to lose as little as possible – but this must be achieved as quickly as possible while under intense pressure.
This is where human psychology becomes important. The mind is a limited capacity information processor. “It makes all sorts of assumptions and takes shortcuts based on previous experience,” explains McKeown. “Also, when we’re under a highly intense, high-pressure situation, the brain considers itself to be under attack, so it narrows down the focus of what we’re working on (we call it cognitive narrowing). It means we’re not getting all the information needed to make the difficult decisions under pressure.”
Ransomware is a whole company incident. Every department is impacted, and every department wants a say in its resolution. Panic is a frequent and unhelpful component – especially if the workforce has not been prepared on how to respond.
“When you panic, explains McKeown, “there’s a small portion of the brain, called the amygdala, which triggers the release of adrenaline. Now, the brain has dual processing. Processor one is very emotional. It’s very quick, it’s based on intuition, previous experience and values. Processor two is the more rational, logical part of the brain. There is an interaction between the way these two parts process information, but the emotional kicks in milliseconds before the rational. In a panic situation when the adrenaline is flowing, it is all emotion-based and narrowly focused on past experiences. So, you probably won’t be taking in and understanding other information that can be used in problem solving and decision making.” Common panic is a serious threat to logical thinking.
The result, in a ransomware induced human response situation, is multiple voices calling for different reactions based not just on reality but different psychological pressures. This is not a good background for optimal decision-making and helps to explain why ransomware remains the most feared cyber crisis.
Immersive’s recommendation is that the workforce should be prepared for a ransomware situation through regular training, exercises and discussions in slow time before any incident and without the ensuing pressure. “By taking part in regular crisis exercises, all these disagreements can be resolved outside of the crisis, so arguments don’t happen at the time of crisis response – and everybody knows what to do and what is expected of them.”
This requires the new leadership style that welcomes and listens to diversity, rather than the old leadership style that simply says, ‘I’m in charge, and this is what we’ll do.’ “The new style leader,” says McKeown, “is aware of ‘wicked problems’ in cybersecurity. Leadership is moving more towards accepting the leader doesn’t have to have all the answers but must be willing to use the people-resources available.”
During the decision-testing phase of the exercise process, ‘counter factual thinking’ can be used. It says, OK, this is what we’ve decided; but what would happen if we did something different? What are those consequences? “By doing this on a regular basis,” she continued, “you start to build a pattern recognition of the underlying issues, and you also find you are building the relationships that can iron out conflicting opinions before a crisis happens.”
Diversity of thought is one of the ways of challenging decisions – it’s a decision-making tool. Immersive’s solution to the psychological mayhem of a ransomware crisis is to deliver short but frequent ransomware crisis exercises at the customers’ site using a crisis simulator to help develop a cohesive team able to handle the crisis with efficiency.
“The insights produced by this report underscore the need for large organizations to have visibility of the cyber capabilities of their workforce,” said James Hadley, CEO of Immersive Labs. “Without measuring the ability of technical and non-technical teams to mitigate risk, a critical part of resilience is missing. Gaps in cyber knowledge, skills and judgment can have the same impact as technical vulnerabilities.”
To this, we can add the insights provided by psychologist Rebecca McKeown.