Hit too many times with successful attacks and compromises, an enterprise's human resources can develop a victim mentality, a.k.a. learned helplessness. When this happens, employees who feel they are helpless to do anything effective to fight cyber attacks lose hope.
CSO looks at the symptoms of the victim mentality in the enterprise, how it comes about, and what enterprises can do technically and psychologically to avoid it.
The victim mentality and its symptoms
In the field of psychology, professionals also refer to the victim mentality as learned helplessness. "Learned Helplessness is a pattern of behaviors that develop in people when they are in a situation where they feel they have no power or control and they essentially give up," says Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists.
Learned helplessness can surface in the corporate world where constant and extreme information security threats flourish. "If people feel stuck in a situation where no available choice will get them out of it, they can start to shut down," says Salmi.
There are ear marks or symptoms that can help an organization to gauge whether its people may have succumbed to learned helplessness. One of those symptoms is apathy. "Your people will exhibit passivity and disengage from their work. They won't put in the discretionary effort that your high performers do," says Salmi. Or, they may intermittently demonstrate lower levels of engagement.
And because misery loves company, affected employees may try to bring others down or look for co-workers who are already afflicted with whom they can share their emotional state. "People with learned helplessness point the finger, give excuses, shift the blame, and procrastinate. They can be more pessimistic, even defensive," says Salmi.
Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists
One security expert has empirical evidence that supports the psychological interpretation. "I hear continuously that breach is inevitable and you simply must assume compromise and that it is not possible to build systems and security that can stop attackers," says Eric Cowperthwaite, Vice President, Advanced Security & Strategy, CORE Security.
Further evidence appears when enterprises buy security breach insurance despite the fact that they don't have a visible security program. "This happens because the organization assumes that breach is inevitable and that they need to try to transfer the risk using insurance," says Cowperthwaite.
Finally, the victim mentality is visible when security leadership wants to immediately focus on stopping the biggest potential threats such as Zero Day Attacks and APTs before addressing basic security. "They assume that the bad guys are so advanced that the organization cannot stop them by doing the basics of security," says Cowperthwaite.
"In my experience, more than 90 percent of all intrusions, incidents, and breaches occur because the organization didn't take care of the basics," says Cowperthwaite. For example, the organization did not apply patches, did not harden systems, did not keep firewalls up to date, and did not have a security leader at the executive level who was directly accountable to senior leadership.
There are many enterprise environments where people have a lot of responsibility and information security threats target data they have responsibility for. Even if they try to anticipate the next attack, they really have no idea who is going to launch it or when or how. "If you feel like you have a lot of responsibility in a high stakes environment but very little control to effect a meaningful change, that's going to create learned helplessness," says Salmi.
Learned helplessness can also come about when a low level manager is in charge of security and has no business visibility to aid him. "This leaves the impression that the organization does not care about proper information security and they are not going to implement basic security measures to keep the enterprise secure," says Cowperthwaite. The victim mentality arises here because security leadership knows what resources they need in order to secure their systems but they don't feel that their business cares enough to provide it.
Too much negative security news can also be defeating. "We have been beat to death by media stories about breaches. Every time we turn around someone else is being hacked. That misleads people to believe that anyone can fall victim. But as we dig into these breaches, it turns out that the enterprise didn't do something basic like patch a test server, which an attacker used to break into the network," says Cowperthwaite.
Preventing learned helplessness
To prevent learned helplessness or reclaim people who suffer from it, it's important to foster resilience in people over time, to support and enhance their ability to recover from failure, to be a long-distance runner, and to adjust and come back to a challenge with a new way of thinking and additional resources. The enterprise should always be building a more resilient team. "You can start by hiring people who are more likely to be resilient," says Salmi.
To support an empowered and resilient team, test and prove the theory that when basic security measures are consistently applied, these can make it harder for the relatively rare attacks of APTs, Zero-Day Exploits, and Nation States to succeed. "Organizations need to stop worrying about APTs and Zero-Day exploits," says Cowperthwaite, "and start patching vulnerabilities that they've known about for years."
While enterprises can locate available patches with the help of the given software vendor, they may also want to use a patch management software package to ease the process of patching their many systems. There are many patch management products available; a few of them include Desktop Central from Manage Engine, Lumension's Patch & Remediation, and LabTech's product of the same name.
In addition to patching software vulnerabilities, basic security measures include hardening systems so that no ports or services are open or functional that are not necessary for the system to do its job. Most popular OS software vendors such as Microsoft, RedHat, and Apple and security organizations such as the NSA, SANS Institute, and NIST publish detailed software hardening instructions that are freely available. In addition, there are enterprise policy managers and auditing software packages that automate software hardening across systems and platforms.
Keeping firewalls up to date is another element of basic security. The enterprise should stay in contact with the vendors that support its hardware, software, network, NGFW, WAF, or any firewalls to receive and apply necessary updates and upgrades as they become available. Where there is a new security update, even for a firewall, there is an old vulnerability it must close and an attacker who knows how to leverage it if the enterprise does nothing.
Lead where you intend to
Avoiding the victim mentality starts and ends with leadership. Enterprises that don't appoint some sort of security czar at the C-level who is directly accountable to the CEO and the board may be inviting victimization by cyber hoodlums.
There's a saying that "you can't lead where you won't go". The opposite is also true: you will lead where you do go, and people will follow. If the example is that security is not important, that the enterprise is ill-equipped to deal with information compromise, and that attackers will routinely prevail, employees will follow that lead, likely with a bad case of learned helplessness.