Tripwire Guest Posts
I like to reach out into communities relevant to the safeguarding I do, and this often includes writing guest blog posts for other websites.
On this page you will find the guest posts I have written for Tripwire – they’re a good read with lots of information so not to toot my own horn, but I recommend reading them if you want to learn more.
Originally published:
26 September 2021
Shame and Cybersecurity: Creating a Safe Space in Your Organization
“Say ‘Ta,’” said Mamma Bear.
“Ta,” said Baby Bear. He then dropped the mug of blackcurrant juice by accident.
“What have you done?” exclaimed Daddy Bear. “The carpet is RUINED!!”
Baby Bear felt a great sense of something disturbing, and this wasn’t a thousand voices suddenly being silenced. This was much deeper. This hurt, and Daddy Bear’s face was angry, disappointed. He was panicking about some purple stuff on the carpet. It didn’t make sense, and so Baby Bear could do only one thing. He swallowed the feeling as something he did, he was, and he ‘caused.’
This was shame. This was a bad feeling in the truest sense of the word. It was horrid.
In transactional analysis, this is known as an injunction. A message swallowed whole without question. In psychology, this becomes a knowing of oneself akin to an autobiographical memory recalled in an area of the brain that is now known to be called the Default Mode Network (DMN). What we also know is that this feeling is elicited from the lower regions of the brain when the salient cause is similar to the event described above. If it feels like “I did that, I messed up,” it’s followed by SHAME.
Shame and Cybersecurity
So, what does this have to do with cybersecurity? Why would this piece of knowledge be helpful to a manager, mentor, staff, and anyone else working around information security, governance, and protection? And of course, as the reader of this, I suspect you are putting key concepts together from the above about the end users that you work with, need to educate, and of course spend time with on the shop floor.
Shame is a key driver in cybersecurity attacks, and it’s also a key driver in the conversations we have with one another in a workplace and at home. It is the reason that an end user, also known as a person with feelings (which includes shame), may click a link, not do something they are supposed to, and more importantly for this explanation not speak out when they make a mistake. This is the reason the ‘oopsie’ gets brushed aside, under the carpet, or conveniently forgotten about.
It is not malicious behavior by a person but one of the most deep-rooted feelings we try to avoid as human beings. I often see cyber professionals talk about cyberpsychology, touching upon the periphery of human behavior in their talks, and sometimes focusing on the feeling of fear, which is correct in some circumstances. However, the feeling that drives 99% of humans into certain behaviors is shame avoidance. This looks like fear on the surface, and it is why many cybersecurity professionals talk to this (or should be using it as a starting block). Shame avoidance is deeply rooted in trauma, but it is also a deeply rooted behavior that we all know.
Even dogs exhibit apparent shame. I’m sure you have seen many a viral video or meme, or you may even own a dog and have a visual recall of what posture the animal takes when it has been caught after *insert destructive behavior.* The tail tucks under, the ears fold back, and the dog cowers. The dog owner anthropomorphizes the behavior and says something like, “Yeah, you better be sorry.” However, dogs are not “saying sorry” but using a well-established behavior of submission, as they have picked up on the energy of you losing your patience after they have eaten the sofa, destroyed cushions, or pooped in the kitchen in a dirty protest.
So, if dogs exhibit this, (Who knows if they feel it? It’s not like we can give them a questionnaire.) and if Baby Bear from the story above feels this, how do you expect to know what the end users’ experience of shame is? Do you know what kind of upbringing they had as a small person under the age of 3 or 7 when this behavior is internalized? What is their sensitivity level to shame, and how far are they willing to go to avoid shame? What kind of environment do you create in work where mistakes, “oopsies,” or “boo boos” are tolerated? Specifically, how do you deal with shame?
Dealing with Shame
Do you create a psychometric test to assess potential employees on these issues? (This is often a quick fix, gut response.) If so, do you think they would tell the truth? What would this be like if a colleague, a member of the staff, or end user lost a million pounds through a phishing attack? Would there still be a welcome party?
So, how do you create a shame-free zone in your business? What kind of things can you do?
What works in psychotherapy and beyond are empathy, compassion, and kindness. Along with that, learn how to have interpersonal relationships with your staff—relationships that are about listening, learning, and supporting them. Reciprocal self-disclosure is also helpful. This means learning about human behavior in depth, and not just through surface-level personality tests, psychometric scoring, and assessments with Likert scales. For example, on a scale of 1-10, how are you finding the cleanliness of the office? This means learning about your staff on a one-to-one level, both objectively and subjectively. Developing skills to do this may be beyond the generic and means that you need to create that space for your staff at every level.
Learning about your staff subjectively means you must approach each person as a unique individual. We need to understand each person has an influential past in the here and now. The reason for this is we all have psychological baggage that gets in the way of our day-to-day business work, and it can often drive mistakes because our mind is not on the job. Shame is just that; it is the monster that lives in us and can lead to feelings of unworthiness, badness, hopelessness, and of course uselessness. The way to fight this behemoth is to be the member of staff who cares, does not judge, and knows that life gets in the way of the simplest tasks. If you want your staff to come to you when they “oopsie,” you should be willing to share that you too also have flaws and that you also make mistakes.
Be kind. Be human. Be real.
Originally published:
27 December 2021
Cybersecurity: When Stress and Trauma ‘Get in the Way’
This blog contains a discussion about stress, trauma, and domestic violence. This may be difficult for some readers, and given the alarming figures around Post-Traumatic Stress Disorder (PTSD), trauma, and early life experiences (ACEs), this will likely concern at least a small population of readers.
Please take care of yourself when reading this and break off from reading if you feel the need to. If you do not suffer from PTSD, the following information can also be helpful, as you will certainly encounter someone with this condition in your cybersecurity career.
Once Upon a Time…
Jo Bear is making dinner on time and ready for when Sam returns from work. Jo is looking at the pot of stew, worried that it’s too salty, overcooked, under-cooked or needs more vegetables. This is a difficult dinner to cook because some of the ingredients had expired, and so they couldn’t be used, but Sam asked for this, and so this is what shall be served. Fingers crossed it goes down well!
The door is opened as if a predator is hiding behind it. SLAM! Jo thinks, “Thank goodness they got rid of the dog, as that could have been a hefty vet bill again.” Jo is in the kitchen serving up the stew as Sam arrives with the door-slamming entry. The meal is going well when Sam begins to talk about work and is getting angry and taking it out with the spoon. At this point, Sam mutters something about needing more salt on the vegetables, and Jo jumps up to grab some, knocking the chair over.
Sam explodes, shouting about Jo’s “mess” and telling Joe to “watch what you are doing, you clumsy idiot.” As always, Jo is overly apologetic, and Sam cannot contain the anger. Stew is thrown everywhere! Today’s dinner ended – just like yesterday’s.
Jo goes to bed early and is fraught with the misery of why Sam exploded so quickly this evening. What needs to happen for Sam to “just have a good evening?” Why can’t Sam just “be normal” like everyone else? Sleep evades Jo, and Sam remains downstairs, drinking copiously until near-comatose on the sofa. Day-in and day-out, this pattern repeats.
Morning Has Broken
Sam is at work the next day, and upon arriving, there is a new person at the front door. Sam is skeptical about this person and does the very thing that have been taught in the cybersecurity trainings. Rather than just holding the door open for this unknown person, Sam asks “Hello. Can I help you?” The new person says, “Yes, I’m here for a job interview with Peter.” Sam replies that Peter will be notified and walks off in the direction of the shops to grab a coffee, leaving the stranger at the door.
Sam is feeling terrible after the booze and needs a pick-me-up. As Sam walks and takes a seat on a bench, facing the long line of workers heading to their place of work, the conversation on the phone with Peter turns to discussing the stressful event of the previous day.
Sam explains about the bank and the manager, Mr Christian Surname, and how the file from the important client was processed incorrectly and how Mr. Mussk sent it to the wrong account. Sam exclaims “What an idiot!!” Sam’s bench neighbor stops reading the morning newspaper and listens intently. Sam discusses how last night Jo messed up the dinner, just like Mr. Surname messed up the account, and how he’s noticed that Katy in Human Resources is also making mistakes, and the secretary keeps adding meetings to the calendar without checking anyone’s availability and how Peter needs to bring the team together for the sake of their biggest accounts, as they are losing money to the stocks of other accounts. During this rant, Peter names many of the accounts and stocks that he thinks are affecting the business.
There is an entire litany of internal dialogue that occupies Sam’s head:
“Blah, Blah, Blah! Get it all out and you’ll feel better,” says the anger, dismay, and hangover.
“You tell him, Sam,” says the inner child.
“Take it out on the boss,” says the repressed adolescent.
“I hate him,” says the disempowered part.
“Make it his fault,” says the shameful part.
“He wouldn’t let me say this in his office,” says the righteous indignant small child within.
“I got to get it off my chest,” says the exhausted worker.
“Should you really be saying this in public?” says the inner critic.
“No one here matters or knows me or the company,” says the scolded, angry, embarrassed, hurt, shamed person.
All the while, Sam is divulging some potentially damaging company information in a public location including the names of some important people in the organization, the names of important accounts and stocks, as well as the name of the person in Human Resources. All of these details could be quite valuable to anyone who may be hearing it who wants to capitalize on the information.
Meanwhile…
Jo is at home, doing the morning administrative tasks – emailing out the next set of appointments for the Psychiatric clients that will be coming to the clinic later that week.
Jo is preoccupied with the event of last night – in fact, the last few weeks and months – and is trying to work out a “plan of action” to sit down and approach Sam about their relationship. Jo is worried and anxious. While staring vacantly at the patterns in the crema in the rapidly cooling cup of coffee on the desk, an email from the bank arrives, indicating that an account requires confirmation of a direct debit that was sent last week to an unrecognized recipient. And yep… Jo clicks the link. Jo is not even thinking about whether this is true, panicked because things with Sam are already strained. Imagine if this was a direct debit that should not have been paid? That would be disastrous!!
The echoes in Jo’s head are quite different than the one’s in Sam’s head:
“Click and sort it quick,” says the fear.
“Prevent another meltdown.”
“This could be bad if I spent money without permission.”
“I will be killed if this is discovered.”
All said by the scared, terrified, abused partner.
None of these concerns matter to a cybercriminal, whose only interest is the hopes of easy exploitation of our human condition. In this case, the criminal enjoys a small victory dance, not knowing or caring about the full toll of the crime.
The Human Side of Cybersecurity
Relationships are complicated, as is life, and people behave according to what is happening to them on a minute-by-minute, hour-by-hour, and day-by-day basis. I don’t doubt in this story that Jo and Sam are cognitive, well thought-out professionals with plenty of cybersecurity awareness who are well-versed in behaviors for protecting their data and that of their clients. They both hold high positions in their work and likely have lots of integrity and work ethics.
Yet, they also have feelings, lives, and histories that make them who they are. And they both allowed a personal matter to get in the way of their integrity, values, and cybersecurity behaviors because feelings can override many of our behaviors. Our “elsewhere” thinking can infiltrate us and become a pre-occupation, tying us up in knots of our best-intentioned cybersecurity behaviors. And, of course, our past histories can result in our “shame behaviors.”
We are complicated, and behaviors are more than a nudge, training, and awareness. As professionals who are tasked with protecting an organization or just our families, let’s be more patient and kind both to ourselves and others when a cybersecurity misstep is made.