The Inside Threat from Psychological Manipulators

How internal manipulators can actually degrade your organization's cyber defense, and how to defend against them.

Joshua Goldfarb, Global Solutions Architect — Security

August 27, 2020

6 Min Read

Wikipedia defines psychological manipulation as "a type of social influence that aims to change the behavior or perception of others through indirect, deceptive, or underhanded tactics. By advancing the interests of the manipulator, often at another's expense, such methods could be considered exploitative and devious." In security, manipulators can actually worsen your organization's security posture.

For example, a manipulator may convince others in the organization that the security team is incompetent, an assertion that will take up significant time and energy to refute. Worse, it will leave important security issues unaddressed. This tactic has nothing to do with you or your organization. With manipulators, it is all about them. In this column, I've put together 13 behaviors that manipulators exhibit, along with guidance on how organizations can defend against them.

  1. Lying: If you're like me, you might down your first two cups of coffee in the morning without even batting an eyelash. In other words, it's second nature. Unfortunately, this is what lying feels like to a manipulator. In order to serve their interests, manipulators will tell whatever story they need to tell. In order to protect your company's security posture, you'll need to get everything from a manipulator in writing. Verbal communication is not sufficient. Stick to the facts and always have the data and evidence available to back up those facts.

  2. Deflecting: Some of us process criticism better than others. Manipulators don't process criticism at all. They merely deflect it onto the closest, easiest, or most vulnerable target. It's a defense mechanism that, when left unchecked, keeps the heat on others, rather than the manipulator. If a manipulator needs to address something, politely and professionally keep the focus on that, in writing. Don't be fooled when they try to turn the conversation around.

  3. Projecting: Many manipulators practice what's known as projection. They believe that others behave in a manner similar to the way in which they behave. For example, if they are avoiding answering a question, they will likely be convinced that you are as well. It's difficult, but try not to engage in the games. Keep everything in writing and professional. More than likely, the manipulator will shift tactics rather than answer you directly and in a straightforward manner. In any case, you'll have evidence that shows the truth.

  4. Attacking: Sometimes, the best defense is a good offense. That's great in sports but not so great when it comes to manipulative personality types. When cornered, a manipulator will often go on the attack in an attempt to change the subject or distract from the underlying issue that needs to be addressed. Don't take the bait. Stay focused on what you need to keep your security posture strong.

  5. Evading: Ask a straightforward question, get a straightforward answer, right? Not with manipulators. It seems that many manipulators put more effort into evading than they do into actually working. Stay on point, in writing of course, and don't get distracted.

  6. Vilifying the victim: This strategy is quite effective. Through lying and other tactics, manipulators can actually convince others within the organization that you're the bad guy. This is where having everything in writing and sticking to facts will help you tremendously. The sooner you can show proof of bad behavior in writing, the sooner you can get back to improving the security posture of your organization.

  7. Playing the victim: Although a manipulator might be the aggressor, they often play the victim. They'll promote a narrative that evokes sympathy, attention, and offers of help from others. Beware of this type of activity. Fact check things you hear about others or about the organization that don't seem quite right. Otherwise, you'll be aiding and abetting the manipulators who put themselves first and the security posture of the organization second.

  8. Playing dumb: An easy out for a manipulator is to claim to have had no knowledge of something when confronted. If you've done your homework and kept everything in writing, it will be easy for you to call the manipulator out on that. This will allow you to continue moving forward with the issue at hand rather than getting distracted by yet another game. Just be aware that the manipulator will not take kindly to being called out and may leverage one or more of the other tactics listed here in response.

  9. Guilt: Guilt is a complex emotion when it's real. When it's imposed upon us falsely, it's downright cruel. If you're doing your job fairly and professionally, you have nothing to feel guilty about. Don't think twice about it and get back to your focus on improving the state of security in your organization.

  10. Withholding: Information is power. Withholding information, particularly information that should be granted without delay, gives a manipulator power and control. Then, if they finally do give you the information you were entitled to from the get-go, they make you feel as if you owe them something. Don't fall for it.

  11. Public vs. private: Manipulators often behave quite differently when others are around, or when they think they're being watched. If you are forced to have a verbal interaction with a manipulator and can't get everything in writing, make sure to bring a witness or two with you. At worst, they can back up your story. At best, the manipulator may actually behave, as they will see it in their own self-interest not to be perceived poorly.

  12. Lack of appreciation for generosity: With good people, when you are generous, they appreciate that generosity and give back in return. With a manipulator, there is no appreciation for generosity, but rather a sense of entitlement. If you give, they will take and then ask for more. Learn who appreciates your generosity in your organization. For the rest, take a hard line — it's the only language they understand.

  13. Inner circle: Many manipulators maintain a close inner circle to whom they feed a constant diet of lies and narratives. This gives them backup when they go into a situation where they may be confronted with the truth. Learn who these people are. Chances are, you won't be able to convince them of the truth. Over time, however, you will learn who you can trust and who will embolden the manipulator and impede your progress.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights