The complexity, ceaselessness, and increasingly destructive nature of today's cyber threats creates a high cognitive workload. This is why it's crucial to ensure that employees are developing the right cognitive skills and agility to protect against attacks. Doing so will have a powerful impact on an organization's cyber-workforce resilience.
A recent "Cyber Workforce Benchmark" report from Immersive Labs took the pulse of cyber skills, knowledge, and preparedness of organizations and their workforces across numerous industries, including financial services, retail, healthcare, and government. The report examines how prepared certain industries are for cyberattacks, providing results from a psychological standpoint. Here are some key findings from the report and the psychological analysis behind them.
The frequency of organizations conducting cyber-crisis exercises varies significantly across different industries — and can also impact performance scores.
An analysis of more than 6,400 crisis response decisions shows that technology and financial services companies prepare the most for cyberattacks, running nine and seven exercises per year, respectively. Critical national infrastructure organizations prepare the least, with just one exercise per year. Healthcare runs a mere two. When it comes to these industries' performance in cyber-crisis exercises, healthcare scored 18%, which is low when compared with technology companies, which scored 80%.
What it means: The more an organization exercises its abilities, the better they become.
Psychology provides an explanation as to why this is the case. People develop surface-level knowledge of a capability before moving on to more advanced thinking. If these skills aren't reinforced or exercised, they fade. It's like learning a new language: If you don't practice the language and speak it on a regular basis, odds are you will lose your knowledge of it. Only with regular, consistent practice and exercise will crisis response teams be able to develop the ability to make connections between previous decisions and how to apply them — or not — during a cyberattack.
Ransomware causes great uncertainty for crisis response teams.
The research asked participants to rate how confident they were in their answers during training, and the simulations that focused on ransomware were the ones where participants lost confidence in their decision-making and judgments. Teams did not want to pay the ransom, with 83% of participants saying they would not do so. However, they were also uncertain about the outcome if they did not pay. Interestingly, the report showed, the industries most likely to pay ransoms were education (25%), consulting (23%), and retail and e-commerce (20%).
What it means: This lack of decision-making confidence points to a classic issue for crisis response teams, often referred to as a "wicked problem."
When considering options with no clear-cut resolution, decisions are challenged by data overload and decision fatigue. The sheer amount of information can be overwhelming. Decisions may be rushed, based on uncertainty or even fear. In the end, because the brain becomes overwhelmed, we settle on a compromise that leads to a lack of confidence in the decision.
High-profile vulnerabilities see a significantly decreased time to capability.
Four of the top five fastest-developed skills in 2021 came from dealing with the Log4j vulnerability. It took cybersecurity teams an average of two days to develop the knowledge and skills to defend against it. This was a whopping 48 times faster than the average threat intelligence lab. This reflects the severe impact of Log4j. It also demonstrates the scramble many teams faced in understanding and responding to the threat.
What it means: The human need to take action is an automatic response, hardwired into our brains, and could cause people to rush into making decisions — good or bad.
The brain makes assumptions and takes shortcuts based on previous experiences, which could spell trouble for organizations. These assumptions and shortcuts, known as biases and heuristics, can lead to irrelevant decisions that may end up backfiring or even making situations worse. If people understood how their minds work and how they react in emergencies, they could learn how to eventually counteract their natural instincts. This will help increase confidence and the effectiveness of decision-making in the future.
The Bottom Line
Cyber-workforce resilience is more crucial than ever before. Cyber-crisis exercises should not be considered a one-and-done occurrence — nor should they be exclusive to cyber teams. We must shift our mindset to making regular exercises a critical business function, developing cognitive agility across the entire workforce. Continuous professional development needs to become part of the day job. We call this concept "microdrilling." It helps to sharpen teams' skills, bolster their confidence when making decisions, and enable them to make smarter decisions in real-life situations. The goal is not to teach people to respond to a specific crisis, but rather to develop the necessary decision-making skills to respond to any crisis. Organizations will never become truly cyber resilient unless they make regular cyber exercises across the workforce a priority.