Awareness – Desired Behavior = Breach
In this final in the series (see part 1 and part 2) on Mature Cybersecurity Culture, we will discuss principles of human nature to consider and address in the effort to improve each worker’s behavior in order to protect the critical digital assets used in the performance of their role in the organization.
Human error has long been understood to be a weak link in the cyber model, yet most organizations struggle to properly address this weakness effectively. Major causes of human error include:
- Lack of situational awareness – often viewed as the most frequent cause,
- Lack of teamwork,
- Lack of knowledge,
- Distraction and pressure,
- Emotion – stress, fatigue, complacency.
The purpose of an organization is to enable ordinary human beings to do extraordinary things.”Peter Drucker
Extraordinary is defined as “very unusual or remarkable”. The financial warfare being executed through the weaponization of information by nation-states and organized cybercrime is an expanding arena of conflict making every member of the organization a potential attack surface. The behavior necessary to mitigate the financial vulnerability or – in the case of healthcare – patient safety from the perspective of the current mindset of many frontline workers can be seen, and often is seen, as unusual.
Thinking across departments that have historically not coordinated their efforts has become necessary if the information being shared is to be protected. Within the current security mindset of many organizations, such coordinated thinking may be seen as extraordinary and an obstacle to the employees maintaining the productivity expected of their roles. If this mindset is to be changed and matured, a Mature Cyber Model within the organization’s culture must become a focus.
The goal of the Mature Cyber Model must be to create a new perspective regarding this perceived unusual and extraordinary behavior. This can be done through training that targets behavior change within a few specific universal principles of human nature.
In the book, Left of Bang, nine principles of human nature are discussed in regards to how they can assist in identifying physical threats by observing the behavior of people. While not all of the principles apply in cybersecurity, I would submit that factoring five of them into the design, training and preparation of the Mature Cyber Model will help mitigate the five major human-related causes of breaches, and will positively impact decision making for each frontline worker.
Accordingly, we will explore these five principles of human nature, used for profiling in a combat situation, not in an effort to profile employees but, to improve performance in desired security behavior. By incorporating an understanding of human nature into the effort to create a Mature Cyber Model, the human tendency to resist change in behavior habits may be lessened.
It is important to note that while these principles are universal, how they are addressed in each organization’s security training program requires creativity, innovation, and tailoring to that organization’s unique operating environment. This requires significantly greater effort than a compliance motivated, “cookie-cutter” training program so often used today and which frequently fails to develop the Mature Cyber Model required!
Principle 1 – Humans are creatures of habit
In the course of life, we as people develop a mindset where a fixed mental attitude is employed to determine our response in a situation.
Because humans are creatures of habit who follow simple reproducible patterns, we are reluctant to change those patterns until behavior becomes unproductive and, even when confronted with clear failure, often follow the same behavioral patterns in the hopes the outcome will change. Such behavior is the result of a “fixed mindset”. Most individuals are governed by a fixed mindset.
Many organizations also operate with a fixed mindset foundation that limits behaviors such as sharing information, collaborating, innovating, seeking feedback or admitting errors. Growth in every one of those behaviors would improve teamwork and help the maturity of the cyber model. Instead, the current fixed mindset often results in a desire – on the part of the individual or organization – to look smart, avoid challenges encountered, see effort as fruitless, or worse, give up easily and ignore useful negative feedback.
In order to overcome this mindset, an attitude (mental model) must be developed that it is better to effect change than to be forced to change due to an event that affects an organization such as a breach. In the Marines, an attitude that was instilled in me that guides me to this day is “Improvement can always be achieved and there is never an end to preparation”.
Such an attitude is known as a growth mindset which must be the mindset in the pursuit of a Mature Cyber Model. A growth mindset embraces challenges, sees effort as the path to mastery, enables a person to persist in the face of setbacks, and learn from criticism and even failure. A growth mindset must be the dominant mindset if a person and/or organization are to persevere in the never-ending journey to mature and grow as the threat environment evolves.
The growth mindset encourages continuous learning and creates the motivation to work hard, resist the human tendency to become complacent and respond resiliently to the failure and adversity that are sure to be encountered.
Principle 2 – Humans are lazy
While there is a bluntness in how this principle is stated, most would agree that humans will generally take the path of least resistance when faced with two options. Because this is human nature, whether you are a leader or frontline worker in the organization, you are susceptible to taking the path of least resistance. One of the most costly mistakes an organization can make is to permit an atmosphere of complacency to develop by failing to consider this principle in the effort to mature the cyber model. Such complacency will negatively impact situational awareness and lead to further vulnerability. The potential for increased complacency exists in the new norm in which organizations are being forced to operate today.
In the cyber threat environment, training in mental toughness should be considered a critical component of the Mature Cyber Model. Specifically, the perseverance component of mental toughness. Perseverance is the combination of emotional control and an attitude towards being delivery oriented.
Emotions drive a person’s thoughts and behavior. Emotions color a person’s perspective on a situation.
Men are disturbed not by things, but the view they take of them.”Epictus
The ability to control emotions enables a person to intentionally choose how to respond to a situation. In Part 1 of this series, we discussed the tendency of individuals, in the performance of their daily responsibilities, to operate with the perspective of the “Condition White” awareness level. Given the continuously evolving threat environment, the daily awareness level should be “Condition Yellow,” in which the person understands that threats exist and they are mentally prepared to take action when a threat is detected. Operating at this awareness level is especially important in the work-from-home environment that interrupts the normal communication between co-workers in an office environment. The focus necessary to operate at this level of awareness can cause an individual to become fatigued which can lead to complacency.
The delivery-oriented aspect of mental toughness is connected to emotional control by grit which can be useful in maintaining focus as well as aiding in dealing with fatigue. The results of numerous studies relative to drive and energy suggest that in every field grit may be as essential as talent to achievement. Grit is more often associated with long-term perseverance, such as the day-to-day tasks a person must perform. In this daily environment, the stress level is minimal and it becomes necessary to overcome the human nature to be complacent. Grit is most often needed when a person least expects it and it is necessary for keeping the individual’s focus on their goals while controlling the emotions that would alter that focus or cause them to quit.
Baselines need to be established to define what is the desired behavior for the environment in which the individual operates. This will continue to evolve as the work-from-home operating environment becomes more of a standard, new technology is implemented, and a more secure approach to using technology is demanded both organizationally and personally.
When stress becomes a factor, individual functions will be significantly influenced by the person’s ability to control their emotions. Due to the absence of peer- to-peer interaction that might help lessen the stress and its impact on emotions, it is not unreasonable to anticipate an increase in stress during daily operations in the work from home environment.
For this reason, training scenarios should be structured to introduce stress.
Training in this behavior, enforcement of the behavior and monitoring must be a part of the governance of the performance relative to the Mature Cyber Model. Addressing this principle in training and preparation may be the most impactful principle in the effort to design and implement a Mature Cyber Model.
Principle 3 – Humans are predictable
Humans involuntarily mimic others. Research has shown that even when involved in a situation requiring a person to be unpredictable, they remain very predictable and fail to demonstrate any type of random behavior.
Something to consider regarding the mimicking of others is the positive outcomes that can result from identifying influential individuals that could be trained in the desired behavior and through their actions cause less likely performers to observe and mimic their behavior.
Human behavior, regardless of location, will display a great number of parallels. Cybercriminals view habitual areas as places of opportunity (i.e. social media), observe the behavior in these locations, do their best to blend in with that behavior and attempt to remain undetected.
In far too many instances, the adversary exploits this principle of human nature by analyzing set patterns of the organization or targeted personnel. They are then able to predict the next movements and actions and prepare to attack when they are presented with an advantage.
For this reason, the principle of surprise in the Doctrine of Maneuver Warfare is a valuable tactic for an organization to consider when planning tactics for maturing the cyber model. In using this concept as part of the Mature Cyber Model, this principle of human nature can be mitigated by degrading the quality of the information available to the adversary.
Likewise, training respected individuals to improve their behavior caused by this principle of human nature may best be achieved through cross department and team scenarios that create the potential for observing, learning and mimicking desired behavior.
Principle 4 – Humans are not good at multitasking
Multi-tasking, in actuality, is a myth due to the significant cognitive limitations that naturally focus a person on doing one thing at a time. The attempt to do more than one thing at a time – regardless of gender – causes focus, ability, and productivity to suffer as a result of the division of a person’s attention and concentration.
When mental energy is divided, an individual’s behavior and ability to perform with consistency are impacted. This lack of consistency is due to the brain’s higher centers sending several conflicting commands that require separate and different physical actions.
The mind is like water, when it is turbulent, it is difficult to see. When it is calm, everything becomes clear”Sun Tzu
This principle may be particularly relevant in the new norm of work-from-home due to interruptions, not normally experienced in an office environment, that distract from the attention needed to focus on performing the required task.
If training in the skill of behavior creates habits, the difficulty associated with multi-tasking and cognitive limitations can be mitigated and both security behavior and performance improved. An organization, in its effort to mature its cyber model, must provide training that adds mental models to the mindset of each worker such that security behavior and decisions on action to be taken are less impacted by this principle of human nature.
Principle 5 – Humans are generally cybersecurity illiterate
This statement is not meant to be derogatory, rather it is intended to state the reality that, in general, we function in our environment lacking an appropriate level of situational awareness. Because of our cognitive limitations, when a person is mentally focusing on something such as performing the responsibilities of their role in the daily operations of the organization, they lose sense of their surroundings and the level of awareness required by that work environment. Such a lack of awareness can result in poor security behavior.
Situational awareness is critical to decision making. A majority of decision making is often related to the response to detection of a breach effort or to the event itself. A principle of the Doctrine of Maneuver Warfare is Delegated Decision Making. In the context of response, delegated decision making has value in that it provides the authority for an individual close to the incident point to make decisions on an action with the understanding the action meets the intent of the security leader.
While not officially sanctioned, frontline workers, to an extent, have delegated decision making if for no other reason than the supervision of every decision is not available. This de-facto delegated decision making becomes an even greater threat in the work-from-home environment. If trained in the expected behavior of the Mature Cyber Model, the individual is more likely to maintain appropriate situational awareness, make decisions that meet the security leader’s intent in that situation and act in a manner that better secures the organization’s business operations.
This series of articles has only touched on the effort necessary to create a Mature Cyber Model as a component of the organization’s culture. Building such a model requires an investment in time and resources in what is so often seen as their most valuable asset. However, far too many organizations have not been willing to make the level of investment necessary to mature the cyber model within the organization’s culture.
So, a question I would suggest leadership ask of themselves is:
“What value do I place on the critical assets that provide this organization with a competitive advantage?”
Once a value has been determined, a follow-on statement and question might be:
“If 69% of breaches are the result of human error that jeopardize that asset, why is it so difficult to justify investment in mitigating that risk as much as possible?”
To quote Hazel Chappell, “COVID-19 is driving need, need is driving innovation and innovation is driving change.”
Everyone agrees there is a need to change the security behavior and mitigate the risk related to human error. Innovation in behavior training is the means by which to drive that change. In that context, I will conclude this series with the following quote.
Progress is impossible without change, and those who cannot change their minds cannot change anything.”George Bernard Shaw
I would like to express my thanks to Hazel Chappell, Founder – ishca health llc for her contributions and suggestions to the writing of this article.