Four human and four environmental factors are present in any situation involving conflict. If an organization is to efficiently and effectively respond to such an event, there must be a program of education and training designed to both develop awareness and improve the behavior of each team member when confronted with this situation. In this blog post, I will examine these environmental factors more deeply and discuss how they might ignite one of four possible emotional responses from team members during an attack. While the environmental factors can be considered conditions[1] beyond the organization’s control, the response to each condition can be improved through training and the subsequent recognition of each team member’s potential reaction when confronted with that which they cannot control. Combining this awareness regarding each team member with the seven principles of “The Doctrine of Maneuver Warfare” can mean the difference between successfully containing an attack, stopping the exfiltration of critical data, and having to comply with the parameters of the Breach Notification Rule.
The parallel between conventional war and cyber warfare is that, in each, there will be periods of intense clashes (i.e. a successful infiltration) and covert hostilities that never escalate (i.e. adversary probing infrastructure). In both situations and all those that exist between these two boundaries, the successful execution of the organization’s defense plan will be determined by how the humans involved react. Too many businesses overlook human nature during the information security program preparation process.
Individuals and teams react differently to the stress of conflict as well as to the quiet times when it appears there is no adversary activity. During the stress of conflict, one or more of the four emotions discussed in this post will surface. How the individual and team function during such a crisis will determine the outcome of the defensive effort. During the quiet times, when there appears to be no threat, humans are prone to becoming careless, apathetic, or negligent. Recognizing these potential human vulnerabilities highlights the importance of discipline to the successful implementation and execution of an information security program.
No degree of technological development or scientific calculation will overcome this human dimension. Much like a soldier, the focus of the discipline is on equipping the person with the skills, knowledge, and weapons needed to limit the mistakes that are certain to occur. Any doctrine that attempts to reduce cybersecurity conflict to ratios of forces, controls, and technology neglects the impact of human will on the conduct of the response.
Environmental Factors
Friction
Friction is the force that resists all action and makes what should be simple and difficult and what is difficult appear impossible.
All conflict distills into a battle of wills. In conventional war, this battle is external and predominantly between two adversaries. In healthcare information security, the predominant source of the battle of wills may be between the security team and the business units required to comply with the policies, procedures, and technology employed to protect electronic Protected Health Information.
Friction can be mental, as in indecision, regarding changes to operational procedures needed to improve information security. It can be self-induced, as the result of a lack of a clearly defined goal, a lack of coordination, unclear or complicated plans, complicated communication systems, and not clearly defined command structures.
Whatever the source of the friction, the result is a psychological and, in some instances, physical impact on the human element involved in the conflict.
The organization must attempt to minimize self-induced friction while preparing to operate effectively within this medium. Operating effectively means overcoming the effects of friction on the organization’s countermoves while simultaneously raising the adversary’s friction to a level that destroys his will to continue the attack.
Only through experience can the force of will necessary to overcome friction be fully appreciated. However, training that employs the scenario planning, scenario analysis, and scenario execution of the principle of “Targeting Critical Vulnerabilities”[i] can approximate the level of friction found in an actual attack.
Uncertainty
All actions in war take place in an atmosphere of uncertainty known as the “Fog of War”. It pervades the battlefield in the form of unknowns about the enemy (i.e. potential capability and intent), the terrain, and even about your organization’s capability.
The uncertainty of the “Fog of War” and the uncertainty that surrounds the cybersecurity operational environment (i.e. crucial vulnerabilities of security posture, adversary, and business associates) are mirror images. The use of the principle of “Targeting Critical Vulnerabilities” to address some of the uncertainty that creates this “Fog of War” is invaluable.
The very nature of any conflict makes absolute certainty impossible. As a result, decisions regarding actions to be taken must be made based on incomplete, inaccurate, or even contradictory information. This reality places greater importance on determining probabilities and using them as the significant metric to determine which action to take.
In healthcare information security, vulnerability scanning, penetration testing, and scenario execution and analysis provide more accurate information on which to perform the risk analysis. Using the output of the risk analysis to quantify the probability of a risk being exploited, the organization can better predict the adversary’s designs relative to their existing security posture and plan accordingly.
These actions will not eliminate uncertainty as there will always be incomplete information due to the move/countermove aspect of a conflict environment. There must be an awareness that actions taken by the organization and/or the adversary, which fall outside the realm of probability, often have a greater impact on the outcome of the conflict.
Once again, the importance of preparation (i.e. planning for contingencies, developing and constantly reviewing policies and procedures, and fostering initiative among subordinates) cannot be overstated. The previously mentioned failure to more fully recognize the importance of individual and team preparation during the design and implementation process of the cybersecurity action is a critical leadership responsibility. This element of human nature is best corrected by leadership that emphasizes discipline in the performance of each employee’s role and responsibility to the enterprise information security program.
It is a discipline that brings Focus[ii] to the security vision of the executive team and is based on achieving the objective of equipping each individual, according to their role, with the security skills, knowledge, and resources that best enable the prevention, quick detection, and rapid response to a breach event. Of equal importance is the integration of these individual roles into a team confident that each member will perform their responsibilities as practiced.
Risk is inherent in every decision made regarding information security. Decisions must be made and executed with Boldness[iii]. Each risk must be assessed relative to the risk tolerance established by the executive team. It must be understood that risk is related to gain and there is normally greater potential for gain in actions that require greater risk.
Risk is equally common to action and inaction. But it must be understood that acceptance of risk cannot lead to the imprudent willingness to gamble the entire likelihood of success on a single improbable event.
Risk does include the ungovernable element of chance. The element of chance is a continuous source of Friction. It consists of turns of events that cannot be reasonably foreseen and over which the organization and the adversary have no control. The uncontrollable potential for chance creates psychological friction that favors neither the organization nor the adversary.
So, while change must be viewed as a threat, it can present an opportunity that the organization must be prepared to exploit.
Fluidity
Each episode in conventional warfare and cybersecurity warfare is the temporary result of a unique combination of circumstances, requiring an original solution.
However, each unique episode merges with those that preceded it and will merge with those that follow. An example in healthcare might be attacks on an organization that mimic similar attacks that achieved success for the adversary. It is quite likely this will be the case given the level of communication on the dark web as well as an adversary wanting to enhance their reputation by flaunting both the success and the profit gained.
Each episode is shaped by the former and shapes the conditions of the attacks that will follow. This reality creates a continuous, fluctuating fabric of activity that must be countered by the “Continuous Oversight”[iv] of the defender. This move/countermove scenario will produce unseen events and new opportunities for opponents.
The successful opponent will be the one who, in large part, is able to adapt to the constantly changing environment. The opponent is able to execute at a high Tempo[v] for periods of intense activity and will outperform their counterpart. The implementation of the “Decision Cycle of Observe, Orient, Decide, Act” can have a significant positive impact on increasing the tempo of the response.
Fluidity is the competitive rhythm of the merging events that will develop between opposing wills with each belligerent trying to influence and exploit tempo and the continuous flow of events to achieve his purpose.
Disorder
In an atmosphere of Friction, Uncertainty, and Fluidity, the natural course of events is to move to disorder which can result in chaos.
The factor of Disorder can never be eliminated. In the heat of the conflict, plans will go awry, and instructions and information will become clouded and result in misinterpretation. Communications will fail, and mistakes and unforeseen events will be commonplace. This natural disorder creates situations ripe for exploitation by an opportunistic will that is prepared to improvise and adapt.
An organization must be able to operate in a disorderly environment, which is the norm in a security event if it is to succeed in its efforts to stop the advance of a threat actor and subsequently remove them from its environment. The principle of Decentralized Decision Making[vi] can be instrumental in minimizing the disorder and the resultant chaos.
In the case of a cybersecurity event on a healthcare provider, disorder in the organization’s response can result in a compromise to protected health information much greater than might have been the case had a general framework for the implementation of an information security program been imposed and regularly reviewed and tested. An even greater threat than compromised data is the growing threat to patient safety due to the steadily increasing implementation of IoT medical devices.
It is apparent that the implementation of a general information security program framework enables the organization to bring order to this disorderly environment by prescribing a general flow of action rather than trying to control each event. The “Doctrine of Maneuver Warfare” is just such a general framework.
The “Doctrine of Maneuver Warfare,” if implemented and managed through the principle of “Continuous Oversight,” enables the organization to operate in the disorderly environment that is a cybersecurity attack.
The Human Dimension of Emotion
In their whitepaper, “Factoring the Human Element into Your Data Breach Response,” AllClear ID cited four key emotional responses to address during a crisis. Neil Patel, marketing expert, and entrepreneur is quoted in Forbes Magazine as saying, “Emotion influences the entire cognitive milieu of the decision-making process.”
While the AllClear ID whitepaper focused on the crisis created by a breach, it is fair to extend these same factors to the development and implementation of an Information Security Program. That effort will be fraught with different degrees of crises caused by the change required for the organization to implement a different philosophy to its approach to information security. The four emotional factors that can potentially affect each individual and, ultimately, the ability of the team to function during a crisis situation are:
Denial
Culturally, the “That can’t happen to us” mentality is natural, but it is also a hazardous attitude. What may be worse is the “I can’t believe that just happened to us” mindset. After a breach, any time lost early in the response period can lead to severe consequences.
If the team has not been preparing for the eventual breach and the leaders have failed to regularly test their team’s skills, the severity of the situation will increase and turmoil will prevail. In many instances, the leaders are frozen and the Tempo of the adversary seizes control and dictates the moves each opponent executes.
Primal Reactions
Healthcare information security is in an “era of uncertainty” where the impulse to “fight, fight, freeze or appraise” are all normal reactions to an attack and should be anticipated. During test scenarios, it is equally important to train on actions to be taken to mitigate the effect of the breach as it is to design scenarios where the probability is a failure.
Emotions such as anger and fear are normal and most often surface when the outcome is a failure. Scenarios designed to provoke these emotions will aid the individuals and the team as a whole in learning to better control them and limit their interference with thinking clearly and objectively.
Failing to stress test leaders and key contributors will only lead to one or both breaking under the pressure of a real event.
Tunnel Vision
Opportunities can be missed as a result of this factor of human nature. The natural response, oftentimes, is to forge ahead using what has worked in the past without considering different and differing points of view.
Developing a willingness to think “out of the box” must be encouraged if this natural response is to be overcome. The scenario planning, scenario analysis and scenario execution functions of the “Targeting Critical Vulnerabilities” principle are an excellent avenue for developing such thinking. Encouraging different thinking and boldness is vital. Having the philosophy of “If everybody is thinking alike, then somebody isn’t thinking”[vii] has value in overcoming Tunnel Vision as well as developing a clearer understanding of the leader’s intent which is one of the three variables that requires attention to detail for the successful execution of the “Decentralized Decision Making” principle discussed in the whitepaper, “Applying the ‘Doctrine of Maneuver Warfare
To the Execution of a Cybersecurity Action Plan”.
Decision Fatigue
The ability of individuals to make decisions in parallel that achieve the leader’s intent is vital. To that end, the team must consider the effect of Decision Fatigue in making those decisions. After days and weeks of making high-stakes decisions, emotional and physical exhaustion sets in and triggers decision fatigue. The result of this is a diminishing capacity for considering trade-offs and identifying dependencies, increasing avoidance of action, and making more impulsive choices—or not making choices at all.
The ability of the crisis team and all employees to anticipate and cope with
These emotional factors are critical to a successful breach response.
Conclusion
A cross-functional team should be assembled from various levels of the organization. Creative thinking and thorough reasoning must be encouraged. Creative thinking and thorough reasoning are more likely to occur if the team is composed of different genders and cultures.
The planning and preparation of breach and response scenarios will build trust between the individual team members and enable the rapid decision-making necessary for a response. The principles of Tempo and Decentralized Decision-Making, if they have been stressed in both preparation and scenario testing, will favorably affect the impact of the emotional reactions to a breach crisis.
The security team is not the only audience for concern regarding the emotional stress of a breach. Every employee is a potential victim of an attack as well as an avenue to the critical data the organization is guarding. In the typical organization, it is reasonable to take the position that the majority of employees of that organization do not identify with the security threat they present and/or how their behavior potentially jeopardizes patient safety and the business viability of the organization. Developing good security habits must be an objective of every organization’s cyber-security program. As such, leadership must be both visible and actively involved in implementing and enforcing the security program.
[1] In Sun Tzu, “The Art of War”, one of the five elements of the framework is “Conditions”. They are those things that will always exist in the operational environment but cannot be controlled by either force. Such is the case of the four Human and Environmental factors. However, as with any “Condition”, the relationship to that which cannot be controlled can be adjusted such that favorable opportunities become available.
[i] The primary focus is on targeting the critical vulnerabilities of the organization relative to cybersecurity. Principle 1 of “The Doctrine of Maneuver Warfare”.
[ii] Focus is the generation of superior combat power at a particular time and place. Principle 4 of “The Doctrine of Maneuver Warfare”.
[iii] This principle requires the use of a risk/reward trade-off framework to increase the organization’s inclination to make bold decisions, train people to evaluate choices and make decisions, and act in the absence of complete information. Principle 2 of “The Doctrine of Maneuver Warfare”.
[iv] At the core of Continuous Oversight are people regularly reviewing the dynamic threat landscape of the healthcare industry and applying their current knowledge with that threat intelligence to measure the effectiveness, relative security (i.e. security assessments) against policies and procedure, physical safeguards, network and server security, and application security.
[v] Tempo is often associated with the mental process known variously as the “Decision Cycle of Observe, Orient, Decide, Act” pioneered by Air Force Colonel John Boyd. Principle 6 of “The Doctrine of Maneuver Warfare”.
[vi] Principle 5 of “The Doctrine of Maneuver Warfare”, Decentralized Decision Making relies heavily on an understanding of the security leader’s intent and enables those closest to the action to take advantage of On-the-Spot information, not immediately available to their superiors, and allows them to exercise initiative.
[vii] General George S. Patton