Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:25 PM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

The Inside Threat from Psychological Manipulators

How internal manipulators can actually degrade your organization's cyber defense, and how to defend against them.

Wikipedia defines psychological manipulation as "a type of social influence that aims to change the behavior or perception of others through indirect, deceptive, or underhanded tactics. By advancing the interests of the manipulator, often at another's expense, such methods could be considered exploitative and devious." In security, manipulators can actually worsen your organization's security posture.

For example, a manipulator may convince others in the organization that the security team is incompetent, an assertion that will take up significant time and energy to refute. Worse, it will leave important security issues unaddressed. This tactic has nothing to do with you or your organization. With manipulators, it is all about them. In this column, I've put together 13 behaviors that manipulators exhibit, along with guidance on how organizations can defend against them.

Related Content:

Make Your Bed' and Other Life Lessons for Security

Risk Assessment & the Human Condition

  1. Lying: If you're like me, you might down your first two cups of coffee in the morning without even batting an eyelash. In other words, it's second nature. Unfortunately, this is what lying feels like to a manipulator. In order to serve their interests, manipulators will tell whatever story they need to tell. In order to protect your company's security posture, you'll need to get everything from a manipulator in writing. Verbal communication is not sufficient. Stick to the facts and always have the data and evidence available to back up those facts.

  2. Deflecting: Some of us process criticism better than others. Manipulators don't process criticism at all. They merely deflect it onto the closest, easiest, or most vulnerable target. It's a defense mechanism that, when left unchecked, keeps the heat on others, rather than the manipulator. If a manipulator needs to address something, politely and professionally keep the focus on that, in writing. Don't be fooled when they try to turn the conversation around.

  3. Projecting: Many manipulators practice what's known as projection. They believe that others behave in a manner similar to the way in which they behave. For example, if they are avoiding answering a question, they will likely be convinced that you are as well. It's difficult, but try not to engage in the games. Keep everything in writing and professional. More than likely, the manipulator will shift tactics rather than answer you directly and in a straightforward manner. In any case, you'll have evidence that shows the truth.

  4. Attacking: Sometimes, the best defense is a good offense. That's great in sports but not so great when it comes to manipulative personality types. When cornered, a manipulator will often go on the attack in an attempt to change the subject or distract from the underlying issue that needs to be addressed. Don't take the bait. Stay focused on what you need to keep your security posture strong.

  5. Evading: Ask a straightforward question, get a straightforward answer, right? Not with manipulators. It seems that many manipulators put more effort into evading than they do into actually working. Stay on point, in writing of course, and don't get distracted.

  6. Vilifying the victim: This strategy is quite effective. Through lying and other tactics, manipulators can actually convince others within the organization that you're the bad guy. This is where having everything in writing and sticking to facts will help you tremendously. The sooner you can show proof of bad behavior in writing, the sooner you can get back to improving the security posture of your organization.

  7. Playing the victim: Although a manipulator might be the aggressor, they often play the victim. They'll promote a narrative that evokes sympathy, attention, and offers of help from others. Beware of this type of activity. Fact check things you hear about others or about the organization that don't seem quite right. Otherwise, you'll be aiding and abetting the manipulators who put themselves first and the security posture of the organization second.

  8. Playing dumb: An easy out for a manipulator is to claim to have had no knowledge of something when confronted. If you've done your homework and kept everything in writing, it will be easy for you to call the manipulator out on that. This will allow you to continue moving forward with the issue at hand rather than getting distracted by yet another game. Just be aware that the manipulator will not take kindly to being called out and may leverage one or more of the other tactics listed here in response.

  9. Guilt: Guilt is a complex emotion when it's real. When it's imposed upon us falsely, it's downright cruel. If you're doing your job fairly and professionally, you have nothing to feel guilty about. Don't think twice about it and get back to your focus on improving the state of security in your organization.

  10. Withholding: Information is power. Withholding information, particularly information that should be granted without delay, gives a manipulator power and control. Then, if they finally do give you the information you were entitled to from the get-go, they make you feel as if you owe them something. Don't fall for it.

  11. Public vs. private: Manipulators often behave quite differently when others are around, or when they think they're being watched. If you are forced to have a verbal interaction with a manipulator and can't get everything in writing, make sure to bring a witness or two with you. At worst, they can back up your story. At best, the manipulator may actually behave, as they will see it in their own self-interest not to be perceived poorly.

  12. Lack of appreciation for generosity: With good people, when you are generous, they appreciate that generosity and give back in return. With a manipulator, there is no appreciation for generosity, but rather a sense of entitlement. If you give, they will take and then ask for more. Learn who appreciates your generosity in your organization. For the rest, take a hard line — it's the only language they understand.

  13. Inner circle: Many manipulators maintain a close inner circle to whom they feed a constant diet of lies and narratives. This gives them backup when they go into a situation where they may be confronted with the truth. Learn who these people are. Chances are, you won't be able to convince them of the truth. Over time, however, you will learn who you can trust and who will embolden the manipulator and impede your progress.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/1/2020 | 2:23:12 PM
Re: At the top
Is it good for the shareholders?
User Rank: Apprentice
8/27/2020 | 6:58:07 PM
At the top
What if the Psycological Manipulator is the CEO?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...