The Subtle Sabotage Of Blame In Cybersecurity & Online Safety
A SCARS™ Insight by Tim McGuinness, Ph.D.
This article is for business owners and mid-level or senior managers!
We All Do It, We All Blame Someone For Something
Sometimes it is justified, sometimes there is cause, and it is very hard to remove it from your vocabulary – but it is always destructive.
I recently heard a cybersecurity training professional tell a story about motivating a corporate team to do better with cybersecurity. It was something to the effect that they needed to learn the material because “You don’t want to be the one that lets a breach happen!”
Now think about that for a moment and let those words sink in.
That is not motivation, it is blame – blaming Blame or Blaming is the act of censuring, holding responsible, making negative statements about an individual or group that their action or actions are socially or morally irresponsible, the opposite of praise. When someone is morally responsible for doing something wrong, their action is blameworthy. By contrast, when someone is morally responsible for doing something right, we may say that his or her action is praiseworthy. Blame imparts responsibility for an action or act, as in that they made a choice to perform that act or action. in advance! Letting those people know that there will be blame in the event of a mistake or an incident. What would be your reaction if someone said that to you?
Yet, if we are honest, that is the way most of us talk to our children or were talked to by our parents too. This is where we learn our blaming approach to life – it starts as children – being told that we will be to blame if we do something wrong. It wires itself into our brain and without even realizing it we perpetuate it for the rest of our life – in our personal life, with our family and friends, and in the workplace.
I myself have been very guilty of this and until I started seriously focusing on victims’ assistance (cybercrime victims) a decade ago, I did not realize the extent that I myself used to do it too.
Developing An Understanding
When you try to help traumatized people recover from deep manipulative cyber-enabled crime A Cyber-enabled crime is one where technology facilitates a criminal to commit a crime against an individual or a business. These are where there is a one to one relationship between the criminal and the victim. Romance scams, email fraud, and many other types of scams are considered cyber-enabled crimes. The technology used can be the Internet, a computer, a phone, or other devices. you begin to develop an understanding of how language can affect them, and how you have to modify the tonality of your language to help them. But as I and the organization I am a part of [SCARS www.AgainstScams.org] has more fully explored the trauma Emotional and psychological trauma is the result of extraordinarily stressful events that shatter your sense of security, making you feel helpless in a dangerous world. Psychological trauma can leave you struggling with upsetting emotions, memories, and anxiety that won’t go away. It can also leave you feeling numb, disconnected, and unable to trust other people.
Traumatic experiences often involve a threat to life or safety or other emotional shocks, but any situation that leaves you feeling overwhelmed and isolated can result in trauma, even if it doesn’t involve physical harm. It’s not the objective circumstances that determine whether an event is traumatic, but your subjective emotional experience of the event. The more frightened and helpless you feel, the more likely you are to be traumatized.
Trauma requires treatment, either through counseling or therapy or through trauma-oriented support programs, such as those offered by SCARS. of victims, we realized that overcoming blame was not limited only to victims. In fact, it appears that “Pre-Blame” is one of the contributors to the self-blame Victim blaming occurs when the victim of a crime or any wrongful act is held entirely or partially at fault for the harm that befell them. SCARS seeks to mitigate the prejudice against victims and the perception that victims are in any way responsible for the actions of offenders or scammers. There is historical and current prejudice against the victims of domestic violence and sex crimes, such as the greater tendency to blame victims of rape than victims of robbery. Scam victims are often blamed by family & friends for the crime. Scam victims also engage in self-blame even though they are not to blame. and shame Shame is an unpleasant self-conscious emotion typically associated with a negative evaluation of the self; withdrawal motivations; and feelings of distress, exposure, mistrust, powerlessness, and worthlessness. that victims of cybercrime feel after the event.
Everyone Experiences Cybercrime
Almost everyone that experiences a cybercrime – especially those based upon social engineering Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It is used as a type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
It has also been defined as "any act that influences a person to take any action that may or may not be in their best interests." and manipulation – experience some shame after the event. This shame will prevent the victim from reporting the crime, fully accepting it, and prevent them from sharing the experience with friends, family, or co-workers. This sense of shame even appears to increase the longer it is maintained. That is to say, the longer the secret is kept the harder it is to tell it.
When looking at this problem of “Pre-Blame” or “Set-up Blame” in the corporate context we see this tendency to try to reinforce the importance of cybersecurity by setting up a sense of dread in the team members so that they will “stay on their toes.” Except that we see that it has the opposite effect. That sense of dread not only creates fear of making a mistake which can inhibit critical, logical, and solution-oriented thinking that would make it difficult for someone to mitigate an incident but can cause paralysis after the realization that it was their fault.
As we teach – there are THREE STAGES in a cyberattack or cybercrime:
- The Attack – the actions that create or exploit a vulnerability – either of a system or a human. These are the actions perpetrated by the attacker.
- The Defense – the critical actions that need to be taken to stop an attack and mitigate its immediate impact.
- The Recovery – this is actually the step most overlooked in the cybersecurity profession and by victims themselves. It deals with the postmortem of the attack, but also helps humans to understand their roles without blame and to recover from the inevitable trauma that came from that experience.
Trauma is an inevitable part of the cybercrime experience just like it is in any form of violence – and make no mistake – cybercrime is violence – no doubt about it. As Interpol says “Online Crime Is Real Crime!”
Yet, so often in the corporate or family context, we set up the blame in advance, and when the incident occurs we already know who and how to blame like a coiled snake ready to leap. The impact of this is not just a sense of guilt or shame by the individual involved, even if it was a mistake that anyone would make, but it also sabotages the recovery after the incident and sabotages the further hardening of the environment that will be necessary for everyone’s future security.
Consider that when you set up your teams with an advance understanding that there will be blame, the following occurs:
- Everyone develops a sense of dread, in some cases, it can almost become a phobia Phobias are one of the most common mental illnesses in the United States. The National Institute of Mental Health suggests that 8% of U.S. adults have some type of phobia. Women are more likely to experience phobias than men. Typical symptoms of phobias can include nausea, trembling, rapid heartbeat, feelings of unreality, and being preoccupied with the fear object.
The American Psychiatric Association (APA) identifies three different categories of phobias: social phobias, agoraphobia, and specific phobias.1 When people talk about having a phobia of a specific object such as snakes, spiders, or needles, they are referring to a specific phobia. about using technology – the fear that they will break something.
- The team will be less likely to work together on problems for fear that someone else will discover how little they know (or they think).
- In the event of an incident, people are reluctant to ask for help that could reduce the impact.
- If an event does occur the team members will be more likely to cover up the incident and not ask for help to prevent future attacks because they expect to be blamed.
- Each team member believes that when it hits the fan they are on their own.
This is not a hypothesis, this is how humans are wired.
When people believe they are at fault they will blame themselves and the same negative effects will still apply. In studying this phenomenon we have found that most victims will not recover from this. About a third will develop various forms of denial Denial is a refusal or unwillingness to accept something or to accept reality. Refusal to admit the truth or reality of something, refusal to acknowledge something unpleasant; And as a term of Psychology: denial is a defense mechanism in which confrontation with a personal problem or with reality is avoided by denying the existence of the problem or reality.. Another third will express their self-blame or shame through anger Anger, also known as wrath or rage, is an intense emotional state involving a strong uncomfortable and non-cooperative response to a perceived provocation, trigger, hurt or threat. About one-third of scam victims become trapped in anger for extended periods of time following a scam.
A person experiencing anger will often experience physical effects, such as increased heart rate, elevated blood pressure, and increased levels of adrenaline and noradrenaline. Some view anger as an emotion that triggers a part of the fight or flight response. Anger becomes the predominant feeling behaviorally, cognitively, and physiologically.
Anger can have many physical and mental consequences. While most of those who experience anger explain its arousal as a result of "what has happened to them", psychologists point out that an angry person can very well be mistaken because anger causes a loss in self-monitoring capacity and objective observability. or aggression. We find that only about one-third are sufficiently realists to accept that the event happened and can work through the trauma and let go of the blame or shame associated with it.
The result is certainly not something that any organization wants to instill in their teams or wants to be sustained after an incident. And the irony is that much of it is self-created by the simple way that trainers and managers use blame to try to motivate their people instead of developing the essential cooperation that defends and repels attacks, and more importantly, since all defenses will ultimately fail, to develop the recovery processes and mind-set that get everyone back working as a team.
Almost every organization understands the impact on their workforce when there is violence affecting their team – HR departments know how to refer to or bring in trauma counselors when there is an assault, domestic abuse, harassment, etc. But cybercrimes Cybercrime is a crime related to technology, computers, and the Internet. Typical cybercrime are performed by a computer against a computer, or by a hacker using software to attack computers or networks. also leave people traumatized, especially if it was a person’s own mistake that caused it or they believe it was their fault.
Attacking The Victims
A recent trend around the world is to even litigate against an employee that makes a mistake. Imagine the pressure that everyone is under when that is on the table. Especially when the fact is that everyone makes mistakes, every security fails, and even the best training overlooks something.
Cybercriminals are smarter than your team. They will get through, count on it.
But how you come out the other side is a direct function of how you prepare your team to be motivated to act and how you support them after an incident. Get that wrong and you will remain broken.
If your business needs guidance, SCARS is available to help you prepare your teams to address these issues. Contact us to explore this!