Despite CISOs’ formidable training efforts on behalf of teams, a commonly overlooked phenomenon is the human tendency to freeze amidst a crisis. Building your incident response operations around this ingrained aspect of psychology can help prevent your teams from seizing up during intense and urgent situations.
In the event of an intrusion or ransomware attack, how exactly will your security team respond? Will they take an aggressive approach, pass the potato, or involuntarily experience fear-based paralysis?
While CISOs commonly contend that their staff has the expertise and training required to fight off a cyber attack, there’s still a chance that staff will freeze up when the pressure is on.
Fight, flight, freeze
Director of Human Science at Immersive Labs, Bec McKeown, says that “You may have a crisis playbook and crisis policies, and you may assume those are the first things you’ll reach for during an incident. But that’s not always the case because the way [in which] your brain works isn’t just fight or flight. It’s fight, flight or freeze.”
According to Chief Information Security Officers, freezing during a high-stakes moment isn’t so unusual. But when a security staff member or team freezes, rather than acts, it can give hackers an edge, enabling them to inflict further damage or export additional data. At the end of the day, it can also culminate in higher regulatory penalties and loss of business.
Given the very real possibility of a ‘freeze’ reaction and its negative repercussions, analysts and long-time CISOs suggest that security leaders spend time implementing new practices that can reduce the chances of occurrence. In addition, CISOs should know how to identify and dissolve the freeze response if it does occur during a security incident.
Any person or team can experience what is known as ‘cognitive narrowing,’ where they are so focused on the present situation that they cannot contextualize the event. In short, cognitive narrowing prevents people from thinking in the way that they usually do, creating the ‘freeze’ response. It’s just part of human nature.
Cyber security leader Neil Harper, who now serves as a board director with ISACA, observed a team freeze in response to a ransomware attack. Says Harper, “They literally did not know what to do, even though they had some experience with [incident response] walkthroughs…They were in panic mode.”
In some instances, teams that freeze are afraid that their actions will come across as overreactions. In other cases, teams are paralyzed by the fear of being blamed. In yet other situations, no team members have had real-world cyber event experience, meaning that no one feels sufficiently confident to lead an attack response.
Prevent the freeze effect. Here’s how:
1. Examine your drills and add components that can better enable teams to prepare for real cyber attacks. As you team moves through drills, bring up new things that aren’t normally in your playbook. For example, ahead of time, discretely request for an employee to deliberately make a wrong move during the drill. This will help your team work through an unexpected or deteriorating situation.
2. Try out a countdown clock during drills. This forces teams to make progress against adversaries under intense pressure – the kind of pressure that they would feel during a real cyber security incident. While it might feel like an uncomfortable exercise, it builds muscle memory that can help incident responders swiftly squash an actual cyber attack.
3. Consider involving enterprise executives in cyber security drills, as they too are liable to experience the ‘freeze’ phenomenon during an incident. For example, you may see your CFO withhold financial information that is needed as an incident unfolds.
4. If possible, you may want to hire cyber security staff members who have experience working through breaches and hacks. Alternatively, consider a contract with an outside incident response team that does this type of work on a routine basis.
5. Further, consider creating channels that would allow for security employees to suggest creative solutions to problems during a live incident. Employees should feel comfortable enough to suggest solutions under even the most stressful of security situations.
For more cyber security insights, please see CyberTalk.org’s past coverage. Lastly, unpack transformative insights, and learn about how to make your organization more agile and secure when you subscribe to the Cybertalk.org newsletter.