Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:25 PM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

The Inside Threat from Psychological Manipulators

How internal manipulators can actually degrade your organization's cyber defense, and how to defend against them.

Wikipedia defines psychological manipulation as "a type of social influence that aims to change the behavior or perception of others through indirect, deceptive, or underhanded tactics. By advancing the interests of the manipulator, often at another's expense, such methods could be considered exploitative and devious." In security, manipulators can actually worsen your organization's security posture.

For example, a manipulator may convince others in the organization that the security team is incompetent, an assertion that will take up significant time and energy to refute. Worse, it will leave important security issues unaddressed. This tactic has nothing to do with you or your organization. With manipulators, it is all about them. In this column, I've put together 13 behaviors that manipulators exhibit, along with guidance on how organizations can defend against them.

Related Content:

Make Your Bed' and Other Life Lessons for Security

Risk Assessment & the Human Condition

  1. Lying: If you're like me, you might down your first two cups of coffee in the morning without even batting an eyelash. In other words, it's second nature. Unfortunately, this is what lying feels like to a manipulator. In order to serve their interests, manipulators will tell whatever story they need to tell. In order to protect your company's security posture, you'll need to get everything from a manipulator in writing. Verbal communication is not sufficient. Stick to the facts and always have the data and evidence available to back up those facts.

  2. Deflecting: Some of us process criticism better than others. Manipulators don't process criticism at all. They merely deflect it onto the closest, easiest, or most vulnerable target. It's a defense mechanism that, when left unchecked, keeps the heat on others, rather than the manipulator. If a manipulator needs to address something, politely and professionally keep the focus on that, in writing. Don't be fooled when they try to turn the conversation around.

  3. Projecting: Many manipulators practice what's known as projection. They believe that others behave in a manner similar to the way in which they behave. For example, if they are avoiding answering a question, they will likely be convinced that you are as well. It's difficult, but try not to engage in the games. Keep everything in writing and professional. More than likely, the manipulator will shift tactics rather than answer you directly and in a straightforward manner. In any case, you'll have evidence that shows the truth.

  4. Attacking: Sometimes, the best defense is a good offense. That's great in sports but not so great when it comes to manipulative personality types. When cornered, a manipulator will often go on the attack in an attempt to change the subject or distract from the underlying issue that needs to be addressed. Don't take the bait. Stay focused on what you need to keep your security posture strong.

  5. Evading: Ask a straightforward question, get a straightforward answer, right? Not with manipulators. It seems that many manipulators put more effort into evading than they do into actually working. Stay on point, in writing of course, and don't get distracted.

  6. Vilifying the victim: This strategy is quite effective. Through lying and other tactics, manipulators can actually convince others within the organization that you're the bad guy. This is where having everything in writing and sticking to facts will help you tremendously. The sooner you can show proof of bad behavior in writing, the sooner you can get back to improving the security posture of your organization.

  7. Playing the victim: Although a manipulator might be the aggressor, they often play the victim. They'll promote a narrative that evokes sympathy, attention, and offers of help from others. Beware of this type of activity. Fact check things you hear about others or about the organization that don't seem quite right. Otherwise, you'll be aiding and abetting the manipulators who put themselves first and the security posture of the organization second.

  8. Playing dumb: An easy out for a manipulator is to claim to have had no knowledge of something when confronted. If you've done your homework and kept everything in writing, it will be easy for you to call the manipulator out on that. This will allow you to continue moving forward with the issue at hand rather than getting distracted by yet another game. Just be aware that the manipulator will not take kindly to being called out and may leverage one or more of the other tactics listed here in response.

  9. Guilt: Guilt is a complex emotion when it's real. When it's imposed upon us falsely, it's downright cruel. If you're doing your job fairly and professionally, you have nothing to feel guilty about. Don't think twice about it and get back to your focus on improving the state of security in your organization.

  10. Withholding: Information is power. Withholding information, particularly information that should be granted without delay, gives a manipulator power and control. Then, if they finally do give you the information you were entitled to from the get-go, they make you feel as if you owe them something. Don't fall for it.

  11. Public vs. private: Manipulators often behave quite differently when others are around, or when they think they're being watched. If you are forced to have a verbal interaction with a manipulator and can't get everything in writing, make sure to bring a witness or two with you. At worst, they can back up your story. At best, the manipulator may actually behave, as they will see it in their own self-interest not to be perceived poorly.

  12. Lack of appreciation for generosity: With good people, when you are generous, they appreciate that generosity and give back in return. With a manipulator, there is no appreciation for generosity, but rather a sense of entitlement. If you give, they will take and then ask for more. Learn who appreciates your generosity in your organization. For the rest, take a hard line — it's the only language they understand.

  13. Inner circle: Many manipulators maintain a close inner circle to whom they feed a constant diet of lies and narratives. This gives them backup when they go into a situation where they may be confronted with the truth. Learn who these people are. Chances are, you won't be able to convince them of the truth. Over time, however, you will learn who you can trust and who will embolden the manipulator and impede your progress.

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/1/2020 | 2:23:12 PM
Re: At the top
Is it good for the shareholders?
User Rank: Apprentice
8/27/2020 | 6:58:07 PM
At the top
What if the Psycological Manipulator is the CEO?
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files.
PUBLISHED: 2021-05-07
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
PUBLISHED: 2021-05-07
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
PUBLISHED: 2021-05-07
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.