Mental Toughness is a Key Factor in Cyberattack Resilience.
Introduction
In cyberwarfare, as in any conventional combat, the primary target is the mind of your adversary. The competitor having the mental strength and agility to break the will of their opponent is victorious. For this reason, strengthening the mental toughness of an organization, both as a whole and individually, must be a priority.
It is not unusual for mental toughness and stubbornness to, mistakenly, be seen as sharing similar qualities. In fact, the characteristics that define the mindset of each differ significantly.
If someone is stubborn, most often they are opinionated, outspoken, bossy or demanding. It is a dogged determination not to change one’s attitude or position on something. You might know a person with these traits and perceive them to be mentally tough. Stubbornness is a weakness. It is a hindrance to anything constructive because it means possibly better alternatives are not considered. Such an attitude does not strengthen resilience which is a key part of a person and organization in a cyber event.
Mental toughness is an element of the human will that is inherently flawed. Even organizations with mature cybersecurity models can miss the importance of human nature or mistakenly see technology as a solution for human nature.
Many researchers have attributed mental toughness to be a significant influencing factor contributing to successful performance excellence, as well as a performance enhancer. While it can be influenced by external sources, to ultimately master the skill it must be taught. It takes years and a lot of experience to approach mastering mental toughness. The reality is no one will ever master mental toughness. It is not measured by the actions of the person, rather it is the reaction of the person or organization (i.e., resilience) which determines their mental toughness.
We can only try to become as mentally tough as we humanly can be but at some point, anyone can eventually break someone of their mental state. In the case of a cyber crisis, the breaking is being accomplished, far too often, by the cybercriminal causing the decision-making of the defender to negatively impact the response and resilience of the organization.
When we encounter stressful situations or are faced with any kind of adversity, the resultant outcome in terms of positive or negative emotional responses and the effects those responses have on our performance will be influenced by our ability to successfully manage internal and external demands. This refers to the ability to go beyond pure physical talent, skill and ability and tap into the mental side of performance enhancement and optimization.
Stress, such as that experienced in a cyberattack, is very powerful and it can negatively affect the body in a number of ways, including mental fatigue. Too often people overlook mental elements when faced with difficulty in performance or whenever faced with a situation that requires an enhanced level of performance.
The purpose of this two-part series is to provide a greater understanding of mental toughness, the journey to strengthening it in a person and/or organization, the type of training necessary to achieve improvement and the value to the organization in pursuing development in both the person and organization.
Mental Toughness
Mental toughness is a skill set that, like all skills, gets better with practice, patience and discipline. It is like a muscle and needs to be worked to grow and develop. Mental toughness is a measure of individual resilience and confidence that may predict success. It is based on a growth mindset, will determine the individual’s willingness to embrace challenges and leans toward a desire to learn. It facilitates an adaptive rather than a more inflexible response that is associated with stubbornness.
Mental toughness provides a psychological[1] edge and enables a person to remain focused and confident during high-pressure situations enabling them to perform at their full potential.
It is the basis for the commitment to growth that must be achieved in the effort to strengthen an organization’s cyber defense. Through continuous learning, an individual’s or organization’s perspective changes and the willingness to proactively address the challenges of an evolving threat environment becomes the baseline behavior.
The tendency of this new desire to learn is witnessed in the attitude to:
- View failure as an opportunity to improve.
Making mistakes is not a negative but in fact, should be viewed as a learning experience, a valuable training tool. The biggest opportunity to fail is the biggest opportunity to win. Too many people are hardwired to shy away from failure. They naturally have a sense of intimidation regarding failure and immediately retreat by talking themselves out of trying.
For every mistake you make, you discover more about yourself: your limits, your capabilities and what you can do. Don’t give up or equate, as many do, making a mistake with being a failure.
“It is impossible to live without failing at something unless you live so cautiously that you might as well not have lived at all, in which case you have failed by default.”[2]
As you will see when we discuss the Confidence component of mental toughness, the fear of failure can be overcome and the perspective towards an event becomes one of seeking the next opportunity.
F.A.I.L means “First Attempt in Learning” and E.N.D means “Effort Never Dies.”
- Persist in the face of setbacks.
See setbacks as temporary and maintain an attitude of, “Things happen occasionally but it’s no big deal.” This attitude is not meant to make light of setbacks but rather to enforce an understanding that, with every setback, new opportunities arise relative to the goal being pursued. Purpose matters but it is an attitude that causes a person to continue moving forward in this moment of setback.
- See effort as the path to mastery.
Mastery is a perspective within an individual’s mindset and will be established using either the Entity Theory or the Incremental Theory to strengthen individual and organizational security situational awareness.
- Entity Theory: Basically, believes that intelligence is a finite entity supply that cannot be increased. People and organizations who believe that working hard means that you are not very good at whatever you are trying to do also tend to blame a lack of intelligence for not getting things done or not achieving whatever they want to achieve. Training, based on this theory, prefers performance goals over learning goals. They are satisfied with a good grade on a test on the subject rather than actually becoming proficient in the subject. An example of this training theory is often seen in security training structured to satisfy a compliance requirement for a regulation to which the organization is subject.
- Incremental Theory: Believes that intelligence may somehow vary from person to person but it also believes that it is something that, with effort, can definitely be increased. Unlike the Entity Theory, the incremental theory believers prefer learning goals over performance goals. Their aim is to continually improve their proficiency in the performance of a task rather than passing a test relative to the subject. Using this theory to improve situational awareness of threats and vulnerabilities within the individual’s operational role would result in improved mastery.
In order to master mental toughness, training must be based on the theory of incremental intelligence, emphasize development/learning goals and encourage effort as a way of improvement.
It is not surprising that as mental toughness is mastered, security behavior training should be based on the same theory.
Mastery is a pain. It requires painful, excruciating, all-consuming effort over a long time period! The organization must be willing to commit time and effort to the repetition of mundane activities that produce the behavior habits necessary for mastery.
Masters of a subject don’t do extraordinary things. Regarding the subject of cybersecurity, masters do ordinary things without thinking, using habits they’ve learned and at a tempo that forces the adversary to react to their action taken. At the point when the mundane tasks become habits, the organization has the time and energy to take another step in the direction of mastery.
Mastery is an asymptote in that it can never be 100% achieved. Continued pursuit of mastery will cause you to get closer but the changing environment will create a situation for you or the organization that requires a change in behavior relative to opportunities that evolve from that change. The beauty of mastery is you can always improve performance in the things that matter to you.
When an individual identifies an area in which he/she wants to aim for mastery, it will give that person purpose and a motivation boost. It is at this point where leadership must work with the individual whose skills/strengths, in that particular area, should be the target of mastery for the benefit of the individual, team and organization.
- Learn from criticism.
Use criticism as a learning experience. The attitude towards receiving criticism must include the understanding that it is the opinion of the person providing it and is based on their perspective created from their knowledge and experience. You must not reply in a defensive manner or allow the criticism to lower your self-esteem. This latter point is important for leaders to consider when they are performing an after-action analysis and presenting corrective action suggestions to an individual and/or team.
Building mental toughness is a journey fraught with many failed efforts and, as such, criticism that results in increased hope for performance improvement is a powerful and dynamic cognitive motivational tool.
There are two types of motivation available and both have value in increasing mental toughness.
• Intrinsic Motivation.
Intrinsic motivation is defined as performing an action or behavior because the individual enjoys the activity itself. Such motivation is directly connected to the individual executing a task that requires the use of a skill for which they have a passion. That passion drives them to persevere and remain motivated by the satisfaction of improved performance and the reward in further development of that skill.
This type of motivation is important in building habits because the focus of the individual remains strong and they feel greater satisfaction in their achievements. Unfortunately, in too many instances, it is a missing ingredient in the effort to implement a dynamic, progressive cyber defense.
In order to hook this motivation in an individual, leadership must be committed to understanding the individual, committed to equipping them and placing them in a position that best uses those skills.
The individual effort to strengthen mental toughness is increased because there is a stronger willingness to prepare and a more focused commitment to continuous performance improvement.
• Extrinsic Motivation.
Extrinsic motivation is focused purely on outside rewards and/or outside punishment. To date, most cybersecurity training is performed using this type of motivation.
People who are extrinsically motivated will continue to perform an action even though the task might not be, in and of itself, rewarding.
Cybersecurity efforts, in many instances, are tasks that are routine, not enjoyable and the completion results in the individual continuing to get a paycheck as their motivation. The question becomes, “Does the quality suffer as a result of this type of motivation?”
If used in the context of strengthening mental toughness, verbal praise/reward must be slanted towards effort, process and choices, rather than the abilities or intelligence of the individual. A person who feels appreciated and valued will always do more than expected.
Regardless of the type of motivation employed, the quality of performance will largely be determined by where an individual’s attention, mindfulness, is drawn.
Mindfulness is a deliberate, non-judgmental awareness of the present moment and is critical in ensuring the desired security behavior, focus and perseverance are maintained during the day-to-day execution of the duties of the individual’s operational role. The level of mindfulness in the execution of their duties is often governed by an individual’s attitude, formed as a product of the motivation type used.
By remaining focused on the here and now, the individual does not allow their thoughts and emotions to be hijacked by events in their daily tasks that provide the potential for creating anxiety.
The Four Components of Mental Toughness
Mental toughness is a combination of Inner Strength and Outer Orientation. The Inner Strength components are Control and Confidence and the Outer Orientation components are Challenge and Commitment.
Figure 1
Control
Control is the ability to handle lots of things simultaneously and remain influential rather than controlled. In order to maintain control, there must be a discipline which most often involves doing something you don’t want to do, when you don’t want to do it. “Discipline must be a habit so ingrained that it is stronger than the excitement of battle.”[3]
Succeeding in any stressful situation will be determined by control. There are two elements of control in mental toughness.
• Life Control: Describes the extent to which an individual believes they can influence what happens to shape the events around them. Relative to their role in the organization’s operational environment, the individual must try to accept that setbacks are normal and resilience is critical.
By identifying the factors within their control, as well as those beyond their control, they will maintain a focus on the areas in which they can exert influence through the execution of behavior that meets the security leader’s intent.
By continuously monitoring performance, the individual is able to learn from what has happened previously, look at setbacks and identify what should be done differently in a similar situation in the future.
A key factor in learning from previous experiences is having someone, a mentor[4], with whom to discuss the areas needing improvement and collaborate on methods of improvement.
• Emotional Control: The nature of cyber defense often requires ‘in the moment’ decision-making that will impact the outcome of an event. “Emotion influences the entire cognitive milieu of the decision-making process.”[5] A person’s ability to function under stress will be significantly influenced by their ability to control their emotions.
“Cyber crisis response presents an interesting new area for the psychology of incident planning because the hybrid/digital real-world environment imposes a very high cognitive workload.”[6] Training in mental toughness will aid in the effort to improve the capabilities of cognitive agility needed in this type of crisis.
It is human nature to react instinctively, based on emotion and such reactions are generally not adaptive to the situation being confronted. They are most often clouded by this emotion and are then based on a lack of appreciation of the true scale of the problem.
A survey conducted by Norton Life Lock reported, “Emotions experienced after detecting unauthorized access were: anger (52%), stressed (46%), vulnerable (41%), violated (34%), powerless (31%), embarrassed (19%) and at fault (14%).”[7] Each of these emotions can result in a loss of focus and result in over reaction and decision fatigue.
“Men are disturbed not by the things, but the view they take of them.”[8] Emotional control enables the individual to place their attention on solving the problem rather than on the way they may feel about the problem! We can’t control what happens in our outside world, but we can control our interpretation of it and act responsively.
A major component of resilience is training the mind to be stronger than your emotions. This is the reason for creating training scenarios where there is a high degree of uncertainty and many unknowns, are time-constrained and require quick decision-making under pressure. Individual training should be very intense and tailored to the specific role of the individual.
Self-efficacy connects the two components of inner strength. It is an individual’s belief in their innate ability to achieve a specific outcome or reach a specific goal and affects every area of human endeavor. By determining the belief a person holds regarding his or her power to affect situations they experience, a baseline will be established in the Learning Zone (Figure 2).
Confidence
Confidence is the ability to maintain self-belief despite setbacks and not be intimidated by the tactics and techniques of your adversary.
Intuitive decision-making is, in part, a product of confidence gained from experience, feelings and judgment. Intuitive decision-making is a higher consciousness developed into habit through training such as that done to strengthen mental toughness.
Fear is just an indication of how important what you are doing is to you. In many instances, fear is the result of low self-efficacy. The inner voices of self-criticism undermine what must be addressed and overcome.
Experiencing situations through increasingly intensive and difficult training builds confidence in individual abilities and skills.
• Confidence in Abilities.
Teachability is the willingness to be involved in continuous study and training, for the purpose of improving your instinctual response to the unexpected. It is human nature to fear the unknown. If you haven’t experienced it before, even the most positive attitude will have doubt. Through training, you become familiar, thus reducing the doubt. This reduced doubt leads to reduced fear of failure, which leads to increased confidence in abilities that produce a greater chance of success. Realizing success in one endeavor will embolden a person to make an effort in another situation where they have little knowledge at the beginning. Confidence comes not merely from possessing knowledge, but in gaining wisdom from the use of that knowledge and understanding further knowledge will be gained from future training.
• Inter-personal Confidence.
This is self-confidence. It is not a static measure and can be increased based upon your willingness to discern what is within your ability to impact. Because the brain is a muscle, like any other muscle, it has a limited supply of strength. Those limitations will always be present but by identifying the key skills a person possesses and focusing on the development of those skills, the individual will better understand their ability to effect change and grow in confidence from that success.
Here, a growth mindset is critical as it provides the perspective that the lessons learned from mistakes of their own and the observation of mistakes made by others are more valuable than the lessons learned from successes.
Through the knowledge of personal skills gained through education in the Learning Zone and training to improve performance of those skills in the Growth Zone (Figure 2), the ability to overcome the fear of the unknown is improved and self-confidence increased.
Engagement is the connection between Inner Strength and Outer Orientation. It is the arrangement the individual or organization has made to do something. In this case, it is the arrangement between the organization and the individual to set development goals targeting the improvement of their competencies and skills relative to security behavior. By expanding the individual’s skill set, the organizational security behavior will be strengthened to the benefit of the effort to develop a mature cyber model within the enterprise culture.
[1] “Today our primary weapon systems are our people’s heads. You want to excel in all the physical areas, but physical is just a prerequisite to be a Seal. Mental weakness is what actually screens you out.” XO Seal Team 10
[2] J.K. Rowling
[3] General George Patton
[4] Oprah Winfrey, “A mentor is someone who allows you to see hope inside yourself.”
[5] Neil Patel, marketing expert and entrepreneur, Forbes Magazine
[6] Rebecca McKeown/Dr. John Blythe, The Psychologist’s View, Immersive Labs – Cyber Workforce Benchmark, 2022
[7] Norton Life Lock Inc. 2021, 2021 Norton Cyber Insights Report: Global Results, Norton and Harris Poll, May 2021
[8] Epictetus, Greek philosopher, developed a system of thought that allowed him to remain calm and mentally resilient despite the threats in his life.