LOSING THE MASK: Using Social Psychology to Teach Your Board Cybersecurity
Updated: Sep 24, 2020
Do a Google Image search for the word “hacker.”
Seriously, do it right now. This article isn’t going anywhere.
What do you see?
Dark rooms. Dark hoodies. Dark computer screens with ominous streams of 1s and 0s.
What else do you see?
A Guy Fawkes mask. Maybe a skull and crossbones. Probably someone in a balaclava.
What don’t you see?
A face. A person. A human being.
Why is that?
And why is that a problem for someone trying to convince their board to take cybersecurity seriously?
Well, the answer to those questions is why we wrote this article.
If the past few years have taught us anything, it’s that cybercrime (including ransomware attacks, business email compromise, data breaches, etc) is a major threat to a business that falls victim, especially one that is unprepared. We don’t need to rehash the familiar statistics, but for small and middle market businesses, a crippling attack could mean the shuttering of your business. And for enterprise-level firms, while the odds are lower that you’ll be forced to shut down after an attack, you could still be faced with response costs and liabilities/penalties that stretch well into the nine-figures.
Given the obvious risk, though, a stunningly small percentage of businesses in the SMB space embrace a holistic approach to cybersecurity, one that honestly considers the risks facing that business, the current state of readiness, and an attempt to determine a reasonable and appropriate level of security. Most, but not all, enterprise businesses have been more eager to adopt better security programs, due in no small part to the fact that they have the resources to do so. For many, though, cybersecurity is a patchwork of solutions, implemented at different times by different leaders and to varying degrees of utility.
It’s not hard to understand the failure to embrace a robust security position. Understanding what tools to acquire is nearly impossible for the non-security person, and those tools are often prohibitively expensive for SMBs. Even if they can afford those tools, they may not be able to afford to pay security pros the salary the market demands for their talent, so they leave those highly specialized tools in the hands of IT generalists who, though meaning well, may not be skilled enough to properly deploy and manage them.
All of that is true. But we’re here to argue that there’s another, perhaps more fundamental reason that businesses fail at security so often.
We haven’t humanized our adversary, and this hinders our ability to tell a persuasive cybersecurity story to our boards.
The longer we keep hackers in the realm of ideas, the more difficult it will be for us to tell an accurate risk story to boards and leadership teams. But the sooner we strip off their Guy Fawkes mask, and recognize them for who they are, the sooner we can be more effective in both securing our organizations and convincing others that our organizations need securing.
Why do we believe this will work? Because we’re human, and they’re human too. We know what motivates them because it is, at its core, the same thing that motivates us: success, principles, notoriety, money... We know what frustrates them because the same things drive us mad: lack of progress, lack of payoff, inability to execute on your plans, etc. If we just recognize that hackers are people too (there’s a bumper stick for you), we’re on the way to knowing how to stop them before they’ve done their worst. And that makes for an effective story.
In this article, we’re going to merge two specialties: social psychology (viewed through the lens of litigation and trial advocacy) and cybersecurity risk management. We’ll do so because to be an effective litigator, especially when one party is a corporation, you have to know how to humanize an idea (a business) and tell an effective story to your audience (a jury). Those same tactics can then be used to humanize another idea (a hacker) when talking to another sort of jury (the board of directors). We’ll discuss the psychological principles needed to humanize the theoretical and take courtroom principles and help make you a better storyteller in the boardroom.
Know Your Enemy
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” - Sun Tzu, The Art of War.
Perhaps Sun Tzu, an ancient Chinese military strategist summarized it best in The Art of War, a treatise written in the 5th century BC. To be victorious, you must know your enemy. This timeless maxim has been applied throughout history not only in war, but in business, law, relationships, and life.
In the litigation arena, knowing your adversary is a critical and necessary component to achieving a favorable outcome. Presenting a case at trial, and preparing it pre-trial, involves laying a foundation and telling a persuasive story. Great trial advocates are formidable storytellers. They take the facts of the case, circumvent the obstacles-the Rules of Evidence, cross-examination, and a competing storyteller create-and emerge with a coherent, cohesive and compelling narrative. To emerge as the victorious storyteller in an adversarial proceeding it is critical to not only understand the attitudes and worldviews of the jury, but to understand how they will perceive your side of the story.
Humanizing Your Litigation Protagonist
The central part of your litigation story is your protagonist, who is your client. If you are representing an individual there are less hurdles to clear in having the jury understand your client, as you are merely asking them to understand another person. However, if you are representing a company, your storytelling burden increases, as you are expecting a jury of individuals to understand an unfamiliar entity. If both sides are advocating on behalf of a company, the task is still difficult, but the playing field is level. The most difficult scenario by far is when an advocate is representing a company against an individual, as opposed to another company. When an advocate tells a story on behalf of a company adverse to an individual, it is critical to not only present the facts in a way to tell a compelling story, but also must include the additional step of humanizing the company. How does an advocate humanize a large impersonal conglomerate? Start at the beginning. Tell a story about the company’s humble beginnings, its mission, purpose, vision and values. Discuss its hard work, commitment to employees, customers, and society. Introduce the concepts of how companies are merely large entities comprised of people. People like themselves, who go to work each day to provide a good life for their families, and a value to society.
What Does Humanizing Your Client Have to do with Hackers?
The above discussion is a general outline of some of the ways an advocate can take an impersonal entity and bring it to life so it is relatable to a jury. Once this mysterious entity becomes relatable and familiar, a jury will be more amenable to understanding its story and position. Similarly, in the realm of cybersecurity and data breaches, if the proposed target of the attack (i.e. a company, led by a board of directors) can understand the motivations and methods hackers use, then it can better understand what type/amount of reasonable and appropriate protective protocols to implement.
Take ransomware for example. Often, an SMB executive will make the claim that they are not the target of cyber attacks because “I have nothing that they want” (meaning private information), forgetting of course that they have plenty of what the hacker wants: money. The business has money, the hackers want that money, the hackers know you want access to your network/data, and the hackers know how to prohibit access to your network. That’s called leverage. And by simply remembering that the hacker is a human being motivated by profit, and not some autonomous bit of computer code crawling the world wide web sniffing for private information, that executive can begin to see how they might be a target after all and make risk decisions accordingly.
A noteworthy distinction between humanizing a company in the litigation context and the proposed hacker in the cybersecurity context, is temporal. At trial the corporation is already entrenched in the litigation process and a contemporaneous humanization must occur in order for it to be “understood” with the end goal of receiving a more favorable litigation outcome. In contrast, the company which is the proposed target of the hacker can proactively put protective measures in place, but it must first understand who the hacker is, so it can implement the most effective and efficient means to thwart the breach. Know your enemy.
Humanizing the Hacker
How does a company begin to understand the proposed hacker? Who is the hacker? What are their motivations and methods? Where is their basis of knowledge? Where are they located? Are they expert or amateur? To answer these questions, we must begin by framing our inquiry in the negative. We must be aware and understand who the proposed hacker is not. To arrive at this understanding, we must identify our cognitive biases. Cognitive biases are mental shortcuts used in human decision making. They are neither logical nor rational and are based on an intuitive style of thinking, rather than deliberative, and emanate from an individual’s tendency to organize social worlds by categorizing. Cognitive biases are the brain’s way of making sense of a chaotic world. As discussed above when most people think about a hacker, their mind will conjure the dark hoodie, a masked individual, or ominous symbols. This is the first psychological mistake, and if not corrected, will lead the proposed target down a path filled with incorrect assumptions, stereotypes and biases. The first step for the proposed target to get on the correct and proactive path is awareness. It must recognize the “hacker” stereotype is nothing more than an archetype, and must be able to psychologically negate it in order to make room for the more realistic possibilities of the identity of the proposed hacker.
It may appear counterintuitive, but another cognitive bias which is likely to occur in the C-Suite or executive ranks of a business may occur after seeing headlines about breaches/ransomware attacks on large companies similar to the ones we saw in Target, Home Depot, and Equifax. This “contrast bias” is enhancement or reduction of a certain stimulus' perception when compared with a recently observed, contrasting object. Accordingly, this bias can arise on the part of a business in this way, “since I only see large companies getting it, that means only large companies get hit, and that means I don’t have to worry about security!” This cognitive bias is closely related to confirmation bias in which new information is perceived as confirmatory if it is in alignment with previous held beliefs and refuted if it is not.
Getting Past Obstacles to Good Storytelling
In addition to what we just discussed, there are a few key insights add to help you be a better cyber risk storyteller. As noted above, good litigators plan ahead to circumvent obstacles to understanding. Whether you’re a CISO, IT manager, risk manager, or insurance buyer, here are a few ways you can be an effective storyteller:
Give them a framework for understanding
Cyber risk is complex and technical, and like all industries, filled with a truly impressive amount of industry-specific jargon. For a non-technical person, trying to piece terms like “NIST 800-171”, “SIEM”, and “segmentation” into a cohesive story, without a framework for understanding, is a hopeless endeavor. It would be like having a dictionary full of words, but no idea what a sentence is. To help them, use a comparable framework as a metaphor. A useful one is safety/OSHA (something far more professionals have at least some understanding of). Safety is your goal (as is security in our case), and OSHA rules (like security frameworks) provide a set of prioritized steps a business can take to increase their safety (or reduce cyber risk).
Recognize competing storytellers
If you’re approaching the board to justify a greater spend on information security or cyber insurance, it’s critical that you take into account the various goals and initiatives that compete with those of information security. To you, security might be your world. To them, it’s a small piece in a broad puzzle that, right now, includes managing COVID, diversity & inclusion, potentially bitter financial performance (depending on industry), questions of remote work, and more. It’s your job to educate the board on risks facing the company, and every person like you who is managing a department or business unit is telling their story too. Keeping these in mind helps prevent you from potentially tense arguments with the board if you feel like they’re not doing enough; if you know they’ve seriously considered your proposal, and weighed it against competing business objections, that’s all you can reasonably ask for.
Look at person in the mirror
Often, the storyteller themselves can be an obstacle. If we’re having a hard time getting the board to understand the severity of cyber risk on its own terms, then put it in terms they understand (actually, just start with this and save yourself a big headache). To effectively communicate the impact of cyber risk to your board, frame the risks as a threat to the mission of the company and its ability to serve customers, a potential disruptor of revenue streams, a regulatory nightmare, a etc. Long story short: tell your story, but tell it using their words. Play your melody, but in whatever key they prefer.
Remember this: when talking with the board, you’re first and foremost a storyteller. And the story you tell will be heard through their attitudes, experiences, and worldviews. But regardless, the more human you can make your adversary, the better your story will be.
About the Authors:
Shari E Belitz, Esq is the founder and Chief Executive Officer of Shari Belitz Communications, a company which educates lawyers, insurance professionals, and companies how to harness social psychology to achieve favorable litigation outcomes. She uses twenty years of litigation and in-house insurance experience, and academic studies in forensic psychology and jury science, to teach professionals how psychology can be used strategically to achieve success at settlement or trial.
David Kruse is the Director of Business Development at Tetra Defense, a cybersecurity incident response and consulting firm, headquartered in Madison, WI, that serves cyber insurance carriers and their policyholders through digital forensics, incident response, data recovery/restoration, ransom negotiation, proactive cybersecurity consulting, and more. Prior to joining Tetra, David worked as an insurance broker specializing in cyber and technology risk.