The connection between technology and psychology may not be immediately apparent but our instincts when under attack, wherever the threat may come from, are often surprisingly similar. Lorne Chedzey, Chief Information Officer at Ergo, delves into the parallels between technology and psychology.
As both a technology specialist and someone who has spent many years studying the human science of psychology, I have witnessed a parallel between how humans behave when facing a psychological threat, and how many CISO’s and IT leaders behave when facing the potential threat of a data breach. Information technology is a product of the human mind so perhaps this is not too surprising.
However, we can gain some insights from psychology that can be useful, like how the powerful human forces of fear and acceptance can play a key role in our cyber resilience strategy, and what to look out for as common pitfalls in strategic thinking.
Many years ago, during my psychology degree, I studied the stress response, writing my thesis around the effectiveness of various coping mechanisms. It’s human nature to focus on trying to prevent something unpleasant and the human body has developed a “fight or flight” response to respond to threatening events, which is often the cause for many people to suffer from a chronic stress response as well as anxiety.
These symptoms can be incredibly debilitating for some people, and they were born during our evolution where this response, which raises cortisol levels in the bloodstream can lead to action, to flee from the bear chasing us through the woods.
In modern times, we still feel the same feelings, but our environment is very different. When we have unpleasant experiences today, we often protect ourselves from these psychologically threatening events with defence mechanisms, such as avoidance.
This can sometimes be effective in warding off the initial threat, but by doing so, we are not preparing ourselves for a time when we cannot avoid this situation. When this happens, the situation can cause considerable psychological damage.
This coping strategy is only affective when we can control the variables.
To draw parallels to the cyber-security realm, IT leaders have built a fortress, of prevention technologies, with firewalls, identity and access management systems, which are all effective at avoiding the threat of a cyber-attack. All of this is needed to protect their organisations valuable data from falling into the wrong hands, which is why it is a wise strategy to pursue.
However, this alone is of no use if you do eventually get breached, and you are in a situation where you’re facing a threat where you are not in control of the variables, and there is a risk of considerable business and reputational damage, as well as a lot of stress.
If someone is struggling with chronic stress because they are finding it difficult to cope with external factors, sometimes it’s helpful to understand where the issue is coming from, so that they can identify the root cause and start to do something about it.
Often counselling or cognitive behavioural therapy can be useful in this instance. A good therapist will delve deeply into thoughts, and feelings, and how these may result in specific behaviours. This can sometimes provide someone with an “aha” moment, where they can link an external stimulus, to a thought, and then onto a behaviour.
This can be effective at changing behaviour and reducing the stress response.
From a cyber security perspective, it is the instigation of observability tools to identify and analyse where there may be potential breaches.
Using SIEM systems to collect and analyse event logs can detect potential threats that could be a root cause to a possible breach. Utilising vulnerability management systems to identify systems, networks and software that may have holes that need to be plugged.
This exploration work is very effective at understanding where the root cause of a breach may occur, and gives an organisation forewarning to plug these gaps, to change behaviours and avoid the loss of critical data.
Anticipatory anxiety is where there is a fear of an upcoming event that has not yet happened, and when this feeling occurs, there are a number of coping mechanisms that can be effectively employed.
One primary mechanism recommended is to act in a concrete manner and do everything you can do to be prepared for the upcoming event. For instance, if you are anxious about a future public speaking event, then prepare for the talk, practice, make notes, and give yourself the best possible chance of success.
However, sometimes that isn’t enough, and you also need to focus on bringing your thoughts back to the present and calming the nervous system through the mind. This can be achieved through the practice of meditation. Additionally, developing acceptance of the upcoming event can reduce anticipatory anxiety and make you perform much better on the day.
The same is true of cyber resilience. Acceptance that you are going to be the target of a breach, and being as prepared as possible for that eventuality, is not just good for the mental health of our CISO’s, but also an effective strategy as it puts the mindset into “response mode”.
In my experience as a CIO in the global IT marketplace the mindset of acceptance and preparing for the eventuality of a breach is probably the one area that is least practiced.
It’s critical to focus on a cyber resilience plan, that goes beyond simply documenting a process but includes a business impact analysis of critical services and functions, and links these to key applications and infrastructure, ensuring that all of the components can be recovered in the event of a breach.
For instance, when hit with a cyber-attack, you cannot delete or alter that primary environment until full cyber forensics has been completed, and law enforcement have been notified, so how do you continue to run your business during what could be weeks or months of not having your environment accessible?
An immutable backup, although important, will not protect you from this eventuality.
At first glance, psychology and IT services may appear to be polar opposite sides of the spectrum, but the tips, tricks, methods and diagnostic tools we use to quell our own anxieties, fears and stresses can and should be employed to our cyber-security methods.
In an age of advanced cyber threats acting as the metaphorical bear in the woods, we need to use all of the tools at our disposal to ensure we are safe and secure.
See more stories here.
