How do you feel about cybersecurity?
We know that cybersecurity is a primarily a human endeavor – an endeavor driven by human decisions and conflicts that are escalated or resolved through a cyber professional’s human skill. Technology helps, but it’s just a tool. If we know all this, why does it feel unnatural to talk about the emotional implications of cybersecurity? In the end, information security is not as much about information or security as it is about people (as the fabulous Evan Francen says).
Karen Renaud, a Scottish computing professor, and her co-authors dissect this in their study: “We hoped to explore how the man and woman in the street feels about cybersecurity as a phenomenon. In particular, what puzzles them, what questions they would like to ask (but perhaps do not ask) …we wanted to hear them describe the perceptions they formed based on their lived experiences of cybersecurity” (2021, 2). [1] Instead of finding the ‘meh,’ and ambivalence that most in the cybersecurity world expect, they found “participants wanted better security, but did not know what actual cybersecurity measures to take” (9), despite the many resources at their disposal. Why? They suspect that “the problem lies neither in unmotivated users nor in a lack of information, but in the feelings of insecurity, uncertainty, frustration and mental overload experienced by participants.” (9) It isn’t about information being unavailable; it’s about an inability to handle the emotional stress surrounding cybersecurity.
As small business owners and cybersecurity professionals, how do we change this? Bombarding our employees or the supposedly unmotivated public with dire statistics and doomsday prediction isn’t cutting it. It only feeds on the negative emotional reactions that block us from our goal: protection and resilience. Instead, we need to find ways to bridge the emotional barriers to address the technological issues. Unfortunately, that’s not something that IT and cybersecurity companies are known for.
I believe there is a way, however, and it starts with management. Researchers Patrick Stacey and his coauthors studied the emotional reactions of an IT team after a cyber-attack. They say that “the team experienced negative emotion-focused coping when the cyber-attack occurred,” which is unsurprising, “but this was transformed into problem-focused coping by an intervention from senior management” (2021, 9-10)[2]. If management can make or break a team’s negative coping after a full-blown cyber-attack, it stands to reason that management will also be key in moving employees from a state of stress and uncertainty, to being responsible for their cyber hygiene.
We can do this in two ways:
- Talk about it.
It doesn’t have to be doomsday prepping to make sure your company is aware of cybersecurity policies. In fact, “in organization where employees are aware of explicit information security policies, employees have more appropriate beliefs about their organizational norms, threats and coping appraisals, and report better protective behaviors” (Li, 2019).[i] When you have prepared for cyber threats, it will make your employees feel more secure, rather than less, to be aware of the procedures they can follow to protect their company.
- Lead with affirmation.
Just because threats are serious doesn’t mean that you can’t affirm when your team does something well. In Stacey’s study, the management team turned the long-lasting emotional implications of the cyberattack around through “providing positive feedback to the IT personnel (+M6). These yielded feelings of contentment while boosting self-efficacy and confidence (+E2) not to mention relief, satisfaction, alleviation and comfort, after the event (+E3)” (2021, 8). To continue after a crisis, you must shape a narrative about the crisis for your team, allowing them to process it as a challenge that was overcome rather than a shameful failure to avoid.
Although cyber threats are real and we should protect against them, we need to change the way we build the cybersecurity narrative. At the end of the day, cyber resilience doesn’t end with your data and software. It includes the ability of your team to continue to operate holistically—mentally, physically, and emotionally—before and after a cybersecurity incident. So let me ask this question differently: how are we going to shape how our team feels about cybersecurity?