Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:25 PM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

The Inside Threat from Psychological Manipulators

How internal manipulators can actually degrade your organization's cyber defense, and how to defend against them.

Wikipedia defines psychological manipulation as "a type of social influence that aims to change the behavior or perception of others through indirect, deceptive, or underhanded tactics. By advancing the interests of the manipulator, often at another's expense, such methods could be considered exploitative and devious." In security, manipulators can actually worsen your organization's security posture.

For example, a manipulator may convince others in the organization that the security team is incompetent, an assertion that will take up significant time and energy to refute. Worse, it will leave important security issues unaddressed. This tactic has nothing to do with you or your organization. With manipulators, it is all about them. In this column, I've put together 13 behaviors that manipulators exhibit, along with guidance on how organizations can defend against them.

Related Content:

Make Your Bed' and Other Life Lessons for Security

Risk Assessment & the Human Condition

  1. Lying: If you're like me, you might down your first two cups of coffee in the morning without even batting an eyelash. In other words, it's second nature. Unfortunately, this is what lying feels like to a manipulator. In order to serve their interests, manipulators will tell whatever story they need to tell. In order to protect your company's security posture, you'll need to get everything from a manipulator in writing. Verbal communication is not sufficient. Stick to the facts and always have the data and evidence available to back up those facts.

  2. Deflecting: Some of us process criticism better than others. Manipulators don't process criticism at all. They merely deflect it onto the closest, easiest, or most vulnerable target. It's a defense mechanism that, when left unchecked, keeps the heat on others, rather than the manipulator. If a manipulator needs to address something, politely and professionally keep the focus on that, in writing. Don't be fooled when they try to turn the conversation around.

  3. Projecting: Many manipulators practice what's known as projection. They believe that others behave in a manner similar to the way in which they behave. For example, if they are avoiding answering a question, they will likely be convinced that you are as well. It's difficult, but try not to engage in the games. Keep everything in writing and professional. More than likely, the manipulator will shift tactics rather than answer you directly and in a straightforward manner. In any case, you'll have evidence that shows the truth.

  4. Attacking: Sometimes, the best defense is a good offense. That's great in sports but not so great when it comes to manipulative personality types. When cornered, a manipulator will often go on the attack in an attempt to change the subject or distract from the underlying issue that needs to be addressed. Don't take the bait. Stay focused on what you need to keep your security posture strong.

  5. Evading: Ask a straightforward question, get a straightforward answer, right? Not with manipulators. It seems that many manipulators put more effort into evading than they do into actually working. Stay on point, in writing of course, and don't get distracted.

  6. Vilifying the victim: This strategy is quite effective. Through lying and other tactics, manipulators can actually convince others within the organization that you're the bad guy. This is where having everything in writing and sticking to facts will help you tremendously. The sooner you can show proof of bad behavior in writing, the sooner you can get back to improving the security posture of your organization.

  7. Playing the victim: Although a manipulator might be the aggressor, they often play the victim. They'll promote a narrative that evokes sympathy, attention, and offers of help from others. Beware of this type of activity. Fact check things you hear about others or about the organization that don't seem quite right. Otherwise, you'll be aiding and abetting the manipulators who put themselves first and the security posture of the organization second.

  8. Playing dumb: An easy out for a manipulator is to claim to have had no knowledge of something when confronted. If you've done your homework and kept everything in writing, it will be easy for you to call the manipulator out on that. This will allow you to continue moving forward with the issue at hand rather than getting distracted by yet another game. Just be aware that the manipulator will not take kindly to being called out and may leverage one or more of the other tactics listed here in response.

  9. Guilt: Guilt is a complex emotion when it's real. When it's imposed upon us falsely, it's downright cruel. If you're doing your job fairly and professionally, you have nothing to feel guilty about. Don't think twice about it and get back to your focus on improving the state of security in your organization.

  10. Withholding: Information is power. Withholding information, particularly information that should be granted without delay, gives a manipulator power and control. Then, if they finally do give you the information you were entitled to from the get-go, they make you feel as if you owe them something. Don't fall for it.

  11. Public vs. private: Manipulators often behave quite differently when others are around, or when they think they're being watched. If you are forced to have a verbal interaction with a manipulator and can't get everything in writing, make sure to bring a witness or two with you. At worst, they can back up your story. At best, the manipulator may actually behave, as they will see it in their own self-interest not to be perceived poorly.

  12. Lack of appreciation for generosity: With good people, when you are generous, they appreciate that generosity and give back in return. With a manipulator, there is no appreciation for generosity, but rather a sense of entitlement. If you give, they will take and then ask for more. Learn who appreciates your generosity in your organization. For the rest, take a hard line — it's the only language they understand.

  13. Inner circle: Many manipulators maintain a close inner circle to whom they feed a constant diet of lies and narratives. This gives them backup when they go into a situation where they may be confronted with the truth. Learn who these people are. Chances are, you won't be able to convince them of the truth. Over time, however, you will learn who you can trust and who will embolden the manipulator and impede your progress.

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
8/27/2020 | 6:58:07 PM
At the top
What if the Psycological Manipulator is the CEO?
User Rank: Apprentice
9/1/2020 | 2:23:12 PM
Re: At the top
Is it good for the shareholders?
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.