Building Cognitive Resilience for Crisis Response
Despite the rapidly growing threat landscape and increasingly sophisticated cyberattacks, organizations are still using traditional tabletop exercises for crisis response prep. Companies across all industries are being dragged onto the front lines by intensifying cyberattacks, and the truth of the matter is that the sporadic, outdated methods of tabletopping is simply not enough to prepare them, or their people, for what comes next. Today’s security teams are unwitting participants in the fight to protect their organizations. If they want any chance of keeping up with attackers, they need to change their mindset.
Through my experience in the Ministry of Defence and as a psychologist, I’ve gained a unique perspective on the ways humans react in times of war and crisis – and cyberattacks. Here are three ways that security leaders can better prepare to combat these growing threats and overcome cognitive biases to respond more effectively in times of crisis.
Resilience in Times of Stress
The pandemic has forced people into difficult, never-before-seen situations, making them more aware of what it is like to be in the midst of a crisis. A simple example is governments’ decisions to implement and then lift lockdown restrictions with little notice. Businesses had to immediately change the ways they’d been operating for years, and react in a fast, strategic and thoughtful way to ensure they’d survive for the long haul. After a tumultuous year, we can look back on the ways we overcame these hurdles and remember how we reacted so we’re better prepared for the next time.
This is similar to crisis response. If we can break down the ways we would initially react in a crisis and reevaluate that way of thinking, we might be more successful. We need to recognize and overcome our previous way of thinking – our cognitive biases towards a situation – in order to promote resilience. But being able to step back, review the facts and let go of our cognitive biases in moments of stress takes practice.
For this reason, it’s important that security and business leaders ensure their teams are regularly exercising crisis response scenarios. Teams will react more effectively in a crisis if they’re familiar with the situation at hand. Planning for “could be” situations is useless when you’re facing something totally new and stressful – a likely scenario when it comes to cyberattacks. So instead of planning new approaches or reviewing old plans, turn to regular crisis exercises instead, and make sure your team knows how to face the unknown.
Understanding Cognitive Agility
It’s human nature to trust your gut instincts if you think you’re familiar with a situation and likely outcome. However, despite what Hollywood would have us believe, sometimes our intuition can be wrong. When this happens, we must force ourselves to take a step back and look at other ways we can respond in order to get the result we need.
The same can be said for responding to a cyberattack crisis. Cybersecurity workers will typically lean on their natural decision-making skills, especially if faced with a situation they haven’t dealt with before. They’ll analyze the hallmarks of the attack, try to map it to a situation they’ve experienced before and draw conclusions from those aspects. Sounds reasonable – except this way of thinking can be the start of a series of decisions based on wrong assumptions because of cognitive biases.
So, how can we rely on our gut instincts if the situation is novel and doesn’t resemble anything we’ve experienced before? The answer is simple: we can’t. As a result, it’s imperative that we check our own preconceptions about what something is, and challenge our initial assumptions. This is known as cognitive agility, which helps us understand when to trust our instincts and when to question them.
Proper crisis training over time is critical to keeping organizations secure from today’s rising and evolving threats. Progressive psychological research into the skills required to work in stressful crisis environments has identified the need for a new type of agile and adaptive thinking, called cognitive agility. For a cybersecurity crisis, developing cognitive agility means developing the mental capabilities of the individual responders themselves, and arming them with the skill of agile thinking rather than the ability to respond to a pre-defined set of situations. If security teams have practiced their responses to a range of different crises – often, and in a collaborative way that reflects today’s threat landscape – then they’re more likely to succeed and know how to react when a real crisis hits, even if they’ve never seen something like it before.
The Psychology of Micro-Drilling
Attackers evolve fast. They are relentlessly creative, not afraid of taking extreme and unexpected actions to achieve their ends and, most importantly, they are constantly learning. They are paragons of cognitive agility. By contrast, recent research found that most organizations only run crisis simulations once per year. Some, every two years. There’s a significant mismatch here that forces organizations to constantly scramble to catch up with the attackers.
Learning is a slippery business. It’s not enough to learn a new skill, then file it away for later: we must constantly exercise it until it becomes muscle memory. This is why many business leaders are implementing micro-drilling, which is a new approach to overcome the limitations of less frequent, meeting-room-based tabletop exercises. Instead, it prescribes a series of rapid, short, regular crisis simulations, typically delivered through a browser. Practicing crisis response often will develop the skills necessary to effectively handle any difficult situation – and the more time we spend building these capabilities, the more cognitively agile we become.
In a cyberattack crisis, everything changes. The ‘business as usual’ ways of thinking must flex to the uncertain, complex, and volatile nature of the incident. This year has shown us that, across all industries and professions, no one is exempt from dealing with significant challenges that force new ways of cognitive thinking upon us. Expert crisis responders must embrace cognitive agility and use enhanced ways of thinking and learning if they have any hope of defending against the hackers of today.
