The Subtle Sabotage Of Blame In Cybersecurity & Online Safety

By Tim McGuinness, Ph.D. – Anthropologist, Scientist, Director of the Society of Citizens Against Relationship Scams Inc.

Blame in Cybersecurity & Online Safety is Rampant!

We all do it, we all blame someone for something.

Sometimes blame is justified, sometimes there is cause, and it is very hard to remove it from your vocabulary – but it is always destructive.

I recently heard a cybersecurity training professional tell a story about motivating a corporate team to do better with cybersecurity. It was something to the effect that they needed to learn the material because “You don’t want to be the one that lets a breach happen!” That is blame!

Now think about that for a moment, about blame and let those words sink in. That is not motivation, it is blame – blaming in advance! Letting those people know that there will be blame in the event of a mistake or an incident. What would be your reaction if someone said that to you?

Yet, if we are honest, that is the way most of us talk to our children or were talked to by our parents too. This is where we learn our blaming approach to life – it starts as children – being told that we will be to blame if we do something wrong. It wires itself into our brain and without even realizing it we perpetuate it for the rest of our life – in our personal life, with our family and friends, and in the workplace.

When you try to help traumatized people recover from deep manipulative cyber-enabled crime you begin to develop an understanding of how blaming language can affect them, and how you have to modify the tonality of your language to help them.

As we [SCARS www.AgainstScams.org] have more fully explored the trauma of victims, we realized that overcoming blame was not limited only to victims. In fact, it appears that “Pre-Blame” is one of the contributors to the self-blame and shame that victims of cybercrime feel after the event.

Almost everyone who experiences a cybercrime – especially those based upon social engineering and manipulation – experiences some shame after the event. This shame will prevent the victim from reporting the crime, fully accepting it, and prevent them from sharing the experience with friends, family, or co-workers. This sense of shame even appears to increase the longer it is maintained. That is to say, the longer the secret is kept the harder it is to tell it.

When looking at this problem of “Pre-Blame” or “Set-up Blame” in the corporate context we see this tendency to try to reinforce the importance of cybersecurity by setting up a sense of dread in the team members so that they will “stay on their toes.” Except that, we see that it has the opposite effect. That sense of dread not only creates fear of making a mistake which can inhibit critical, logical, and solution-oriented thinking that would make it difficult for someone to mitigate an incident but can cause paralysis after the realization that it was their fault.

As we teach – there are THREE STAGES in a cyberattack or cybercrime:

  1. The Attack – the actions that create or exploit a vulnerability – either of a system or a human. These are the actions perpetrated by the attacker.
  2. The Defense – the critical actions that need to be taken to stop an attack and mitigate its immediate impact.
  3. The Recovery – this is actually the step most overlooked in the cybersecurity profession and by victims themselves. It deals with the postmortem of the attack but also helps humans to understand their roles without blame and to recover from the inevitable trauma that came from that experience.

Trauma is an inevitable part of the cybercrime experience just like it is in any form of violence – and make no mistake – cybercrime is violence – no doubt about it. As Interpol says “Online Crime Is Real Crime!”

Yet, so often in the corporate or family context, we set up the blame in advance, and when the incident occurs we already know who and how to blame like a coiled snake ready to leap. The impact of this is not just a sense of guilt or shame by the individual involved, even if it was a mistake that anyone would make, but it also sabotages the recovery after the incident and sabotages the further hardening of the environment that will be necessary for everyone’s future security.

Consider that when you set up your teams with an advanced understanding that there will be blame, the following occurs:

  • Everyone develops a sense of dread, in some cases, it can almost become a phobia about using technology – the fear that they will break something.
  • The team will be less likely to work together on problems for fear that someone else will discover how little they know (or they think).
  • In the event of an incident, people are reluctant to ask for help that could reduce the impact.
  • If an event does occur the team members will be more likely to cover up the incident and not ask for help to prevent future attacks because they expect to be blamed.
  • Each team member believes that when it hits the fan they are on their own.

This is not a hypothesis, this is how humans are wired.

When people believe they are at fault they will blame themselves and the same negative effects will still apply. In studying this phenomenon we have found that most victims will not recover from this. About a third will develop various forms of denial. Another third will express their self-blame or shame through anger or aggression. We find that only about one-third are sufficiently realists to accept that the event happened and can work through the trauma and let go of the blame or shame associated with it.

The result is certainly not something that any organization wants to instill in their teams or wants to be sustained after an incident. And the irony is that much of it is self-created by the simple way that trainers and managers use blame to try to motivate their people instead of developing the essential cooperation that defends and repels attacks, and more importantly, since all defenses will ultimately fail, to develop the recovery processes and mindset that get everyone back working as a team.

Almost every organization understands the impact on their workforce when there is violence affecting their team – HR departments know how to refer to or bring in trauma counselors when there is an assault, domestic abuse, harassment, etc. But cybercrimes also leave people traumatized, especially if it was a person’s own mistake that caused it or they believe it was their fault.

A recent trend around the world is to even litigate against an employee that makes a mistake. Imagine the pressure that everyone is under when that is on the table. Especially when the fact is that everyone makes mistakes, every security fails, and even the best training overlooks something.

Cybercriminals are smarter than your team. They will get through, count on it.

But how you come out the other side is a direct function of how you prepare your team to be motivated to act and how you support them after an incident. Get that wrong, spread the blame around, and you will remain broken.

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

Opinions

The opinions of the author are not necessarily those of the Society of Citizens Against Relationship Scams Inc. The author is solely responsible for the content of their work. SCARS is protected under the Communications Decency Act (CDA) section 230 from liability.

Disclaimer:

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX-RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use

Legal Notices: 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

SCARS, SCARS|INTERNATIONAL, SCARS, SCARS|SUPPORT, SCARS, RSN, Romance Scams Now, SCARS|INTERNATION, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS|LATINOAMERICA, SCARS|MEMBER, SCARS|VOLUNTEER, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, SCARS ANGELS, SCARS RANGERS, SCARS MARSHALLS, SCARS PARTNERS, are all trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the legal department for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org