Blame in Cybersecurity & Online Safety is Rampant!
We all do it, we all blame someone for something.
Sometimes blame is justified, sometimes there is cause, and it is very hard to remove it from your vocabulary – but it is always destructive.
I recently heard a cybersecurity training professional tell a story about motivating a corporate team to do better with cybersecurity. It was something to the effect that they needed to learn the material because “You don’t want to be the one that lets a breach happen!” That is blame!
Now think about that for a moment, about blame and let those words sink in. That is not motivation, it is blame – blaming in advance! Letting those people know that there will be blame in the event of a mistake or an incident. What would be your reaction if someone said that to you?
Yet, if we are honest, that is the way most of us talk to our children or were talked to by our parents too. This is where we learn our blaming approach to life – it starts as children – being told that we will be to blame if we do something wrong. It wires itself into our brain and without even realizing it we perpetuate it for the rest of our life – in our personal life, with our family and friends, and in the workplace.
When you try to help traumatized people recover from deep manipulative cyber-enabled crime you begin to develop an understanding of how blaming language can affect them, and how you have to modify the tonality of your language to help them.
As we [SCARS www.AgainstScams.org] have more fully explored the trauma of victims, we realized that overcoming blame was not limited only to victims. In fact, it appears that “Pre-Blame” is one of the contributors to the self-blame and shame that victims of cybercrime feel after the event.
Almost everyone who experiences a cybercrime – especially those based upon social engineering and manipulation – experiences some shame after the event. This shame will prevent the victim from reporting the crime, fully accepting it, and prevent them from sharing the experience with friends, family, or co-workers. This sense of shame even appears to increase the longer it is maintained. That is to say, the longer the secret is kept the harder it is to tell it.
When looking at this problem of “Pre-Blame” or “Set-up Blame” in the corporate context we see this tendency to try to reinforce the importance of cybersecurity by setting up a sense of dread in the team members so that they will “stay on their toes.” Except that, we see that it has the opposite effect. That sense of dread not only creates fear of making a mistake which can inhibit critical, logical, and solution-oriented thinking that would make it difficult for someone to mitigate an incident but can cause paralysis after the realization that it was their fault.
As we teach – there are THREE STAGES in a cyberattack or cybercrime:
- The Attack – the actions that create or exploit a vulnerability – either of a system or a human. These are the actions perpetrated by the attacker.
- The Defense – the critical actions that need to be taken to stop an attack and mitigate its immediate impact.
- The Recovery – this is actually the step most overlooked in the cybersecurity profession and by victims themselves. It deals with the postmortem of the attack but also helps humans to understand their roles without blame and to recover from the inevitable trauma that came from that experience.
Trauma is an inevitable part of the cybercrime experience just like it is in any form of violence – and make no mistake – cybercrime is violence – no doubt about it. As Interpol says “Online Crime Is Real Crime!”
Yet, so often in the corporate or family context, we set up the blame in advance, and when the incident occurs we already know who and how to blame like a coiled snake ready to leap. The impact of this is not just a sense of guilt or shame by the individual involved, even if it was a mistake that anyone would make, but it also sabotages the recovery after the incident and sabotages the further hardening of the environment that will be necessary for everyone’s future security.
Consider that when you set up your teams with an advanced understanding that there will be blame, the following occurs:
- Everyone develops a sense of dread, in some cases, it can almost become a phobia about using technology – the fear that they will break something.
- The team will be less likely to work together on problems for fear that someone else will discover how little they know (or they think).
- In the event of an incident, people are reluctant to ask for help that could reduce the impact.
- If an event does occur the team members will be more likely to cover up the incident and not ask for help to prevent future attacks because they expect to be blamed.
- Each team member believes that when it hits the fan they are on their own.
This is not a hypothesis, this is how humans are wired.
When people believe they are at fault they will blame themselves and the same negative effects will still apply. In studying this phenomenon we have found that most victims will not recover from this. About a third will develop various forms of denial. Another third will express their self-blame or shame through anger or aggression. We find that only about one-third are sufficiently realists to accept that the event happened and can work through the trauma and let go of the blame or shame associated with it.
The result is certainly not something that any organization wants to instill in their teams or wants to be sustained after an incident. And the irony is that much of it is self-created by the simple way that trainers and managers use blame to try to motivate their people instead of developing the essential cooperation that defends and repels attacks, and more importantly, since all defenses will ultimately fail, to develop the recovery processes and mindset that get everyone back working as a team.
Almost every organization understands the impact on their workforce when there is violence affecting their team – HR departments know how to refer to or bring in trauma counselors when there is an assault, domestic abuse, harassment, etc. But cybercrimes also leave people traumatized, especially if it was a person’s own mistake that caused it or they believe it was their fault.
A recent trend around the world is to even litigate against an employee that makes a mistake. Imagine the pressure that everyone is under when that is on the table. Especially when the fact is that everyone makes mistakes, every security fails, and even the best training overlooks something.
Cybercriminals are smarter than your team. They will get through, count on it.
But how you come out the other side is a direct function of how you prepare your team to be motivated to act and how you support them after an incident. Get that wrong, spread the blame around, and you will remain broken.