Why managing the human factors is crucial to a successful cyber security crisis response

by Lorena Gutierrez Manager, Crisis and Resilience, PwC United Kingdom

Email +44 (0)7483 421724

When responding to a cyber security crisis, well-embedded plans and processes are crucial to supporting the business and technical response. But a successful response also strongly relies on a number of human factors. An often small leadership group has to make difficult decisions and provide direction to those relying on them, under pressure and up against a ticking clock.

In contrast to other types of crises, cyber crises are particularly complex due to three characteristics:

  • They are often widespread, and their impact traverses geographical boundaries.
  • They present a high degree of uncertainty, forcing executive leaders to make difficult decisions without a full understanding of the situation.
  • The lifecycle of a cyber crisis continually evolves. This means that the decisions responders make can directly affect how the rest of the situation develops.

The situational pressure that comes with tackling a cyber crisis can trigger a physiological, emotional and cognitive impact on everyone involved. The high degree of stress that crises can generate has a direct effect on the human brain’s ability to think clearly - and therefore on how we react. Below we have laid out how this can affect those involved in responding to a cyber crisis, and why minimising the impact of these responses is crucial to a successful crisis response.

The physiological response

Responding to a cyber crisis activates the ‘fight or flight’ threat circuit in our brains. This can cause strong physiological reactions - including increased heart rate, rising blood pressure, muscle twitching, an influx of adrenaline and even the numbing of senses. For our human instincts, these are all indicators to try to avoid or get out of a situation as quickly as possible. This may lead people to try and come up with the ‘fastest solutions’, rather than considering the wider, long-term impacts of each decision.

In any cyber crisis, the triad of confidentiality (data is protected from unauthorised access), integrity (data is reliable) and availability (data is accessible) presents a challenge for executive decision makers. For example, during an event where an organisation’s systems have been compromised, members of the crisis management team might decide to shut certain applications down. This decision could be made in response to the physiological demand to do something ‘tangible’ to address the problem. But a decision like this may underestimate the operational impact on other business activities.

Similarly, the rush to ‘get things done’ may prevent crisis managers from pausing to assess the less obvious impacts of their decisions. Even if less critical business functions are not the focus of the response, the effect of crisis decisions on them could eventually escalate into more challenging problems if left unaddressed.

The emotional response

The individual response to stressors is different for every person. While some might feel anxious or scared, others tend to show anger or even a sense of denial about the severity of the situation. During a cyber security crisis, these contrasting reactions might hinder responders’ ability to think clearly and agree on the priorities that will drive the response strategy.

Very often, cyber security crises force the business to choose between multiple conflicting priorities. For example, if a cyber attack has affected both the organisation’s ability to pay its staff and its customer facing systems, the crisis team might need to prioritise the allocation of resources to address either problem first. The high stakes of having to choose between two or more undesirable options can trigger ‘decision inertia’. Responders may deliberate for too long - or even fail to act - in the hope of finding a better solution, making the situation worse.

The emotional response to a crisis also has an impact on how responder teams communicate with one another and with other stakeholders. Under pressure, people’s tolerance for operating with limited information, as well as for discerning opinions, tends to exponentially diminish. The likelihood of impulsive reactions increases at a time when clear, direct communication is of utmost importance.

The cognitive response

Stress, fear and high levels of pressures can interfere with our ability to process a crisis situation and therefore hinder objective decisions. Combined with other typical factors when responding to a crisis, this intensifies the brain’s tendency to operate based on unconscious beliefs, affecting a person’s well-rounded understanding of the situation.
The uncertain nature of cyber crises presents an ideal setting for this phenomenon. Responders who are more risk averse by nature might feel reluctant to make decisions and can spend too much time trying to obtain more information. This may inadvertently allow the cyber crisis to escalate as a result of inaction. Others might experience the opposite, making rushed decisions based on an exaggerated sense of confidence. And some may fall into ‘catastrophic thinking’, believing nothing can be done to resolve the crisis.

Anticipating the human factors is key to an effective cyber crisis response

There’s no simple formula to avoiding the stress brought on by a cyber crisis. But just as crisis management plans allow organisations to rely on pre-agreed response processes, there are actions you can take to minimise the impact of physiological, emotional and cognitive responses.

  1. Develop self awareness of your own response tendencies and leadership style under stress: Crisis managers can benefit from reflecting on their own reactions when operating under pressure. Gaining experience, either individually or as part of facilitated training and coaching sessions, so you can identify and anticipate your own potential vulnerabilities will provide useful preparation and reduce unexpected reactions.
  2. Acknowledge the critical role of wellbeing: crisis management is often misperceived as a discipline characterised by a default state of constant chaos. However, performing effectively during a crisis greatly depends on the resilience that crisis responders build outside of the crisis room. While the definition of wellbeing is different for each person, cultivating proactive resilience (healthy body and healthy mind) is a key common denominator amongst the most effective crisis responders.
  3. Plan for the availability of resources in advance: the combination of multiple workstreams and a finite number of resources is the most common cause of burnout amongst responders within the first few days of a cyber crisis. You can reduce this risk by developing and maintaining a robust crisis management plan that includes contingency resourcing considerations. This may take the form of a rota or third party support that can be called on at short notice. By addressing the potential constraint of resources as part of your cyber crisis planning, you can maximise the effectiveness of your response.

Responding to a cyber crisis inevitably involves a degree of stress. However, acknowledging the human reactions that responders may experience should be part of any organisation’s crisis planning. No matter how sophisticated a cyber attack may be, an effective response will ultimately depend on your people, and their ability to think clearly and strategically.

Get in touch with the Crisis Team to find out how we can help your crisis response strategy and support decision makers be prepared to respond to any type of crisis.

by Lorena Gutierrez Manager, Crisis and Resilience, PwC United Kingdom

Email +44 (0)7483 421724

Claudia van den Heuvel Crisis Management Specialist, PwC United Kingdom

Email +44 (0)7525 283080