Hit too many times with successful attacks and compromises, an enterprise’s human resources can develop a victim mentality, a.k.a. learned helplessness. When this happens, employees who feel they are helpless to do anything effective to fight cyber attacks lose hope.
CSO looks at the symptoms of the victim mentality in the enterprise, how it comes about, and what enterprises can do technically and psychologically to avoid it.
The victim mentality and its symptoms
In the field of psychology, professionals also refer to the victim mentality as learned helplessness. “Learned Helplessness is a pattern of behaviors that develop in people when they are in a situation where they feel they have no power or control and they essentially give up,” says Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists.
Learned helplessness can surface in the corporate world where constant and extreme information security threats flourish. “If people feel stuck in a situation where no available choice will get them out of it, they can start to shut down,” says Salmi.
There are ear marks or symptoms that can help an organization to gauge whether its people may have succumbed to learned helplessness. One of those symptoms is apathy. “Your people will exhibit passivity and disengage from their work. They won’t put in the discretionary effort that your high performers do,” says Salmi. Or, they may intermittently demonstrate lower levels of engagement.
And because misery loves company, affected employees may try to bring others down or look for co-workers who are already afflicted with whom they can share their emotional state. “People with learned helplessness point the finger, give excuses, shift the blame, and procrastinate. They can be more pessimistic, even defensive,” says Salmi.
Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists
One security expert has empirical evidence that supports the psychological interpretation. “I hear continuously that breach is inevitable and you simply must assume compromise and that it is not possible to build systems and security that can stop attackers,” says Eric Cowperthwaite, Vice President, Advanced Security & Strategy, CORE Security.
Further evidence appears when enterprises buy security breach insurance despite the fact that they don’t have a visible security program. “This happens because the organization assumes that breach is inevitable and that they need to try to transfer the risk using insurance,” says Cowperthwaite.
Finally, the victim mentality is visible when security leadership wants to immediately focus on stopping the biggest potential threats such as Zero Day Attacks and APTs before addressing basic security. “They assume that the bad guys are so advanced that the organization cannot stop them by doing the basics of security,” says Cowperthwaite.
“In my experience, more than 90 percent of all intrusions, incidents, and breaches occur because the organization didn’t take care of the basics,” says Cowperthwaite. For example, the organization did not apply patches, did not harden systems, did not keep firewalls up to date, and did not have a security leader at the executive level who was directly accountable to senior leadership.
There are many enterprise environments where people have a lot of responsibility and information security threats target data they have responsibility for. Even if they try to anticipate the next attack, they really have no idea who is going to launch it or when or how. “If you feel like you have a lot of responsibility in a high stakes environment but very little control to effect a meaningful change, that’s going to create learned helplessness,” says Salmi.
Learned helplessness can also come about when a low level manager is in charge of security and has no business visibility to aid him. “This leaves the impression that the organization does not care about proper information security and they are not going to implement basic security measures to keep the enterprise secure,” says Cowperthwaite. The victim mentality arises here because security leadership knows what resources they need in order to secure their systems but they don’t feel that their business cares enough to provide it.
Too much negative security news can also be defeating. “We have been beat to death by media stories about breaches. Every time we turn around someone else is being hacked. That misleads people to believe that anyone can fall victim. But as we dig into these breaches, it turns out that the enterprise didn’t do something basic like patch a test server, which an attacker used to break into the network,” says Cowperthwaite.
Preventing learned helplessness
To prevent learned helplessness or reclaim people who suffer from it, it’s important to foster resilience in people over time, to support and enhance their ability to recover from failure, to be a long-distance runner, and to adjust and come back to a challenge with a new way of thinking and additional resources. The enterprise should always be building a more resilient team. “You can start by hiring people who are more likely to be resilient,” says Salmi.