Hit too many times with successful attacks and compromises, an enterprise's human resources can develop a victim mentality, a.k.a. learned helplessness. When this happens, employees who feel they are helpless to do anything effective to fight cyber attacks lose hope.
CSO looks at the symptoms of the victim mentality in the enterprise, how it comes about, and what enterprises can do technically and psychologically to avoid it.
The victim mentality and its symptoms
In the field of psychology, professionals also refer to the victim mentality as learned helplessness. "Learned Helplessness is a pattern of behaviors that develop in people when they are in a situation where they feel they have no power or control and they essentially give up," says Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists.
Learned helplessness can surface in the corporate world where constant and extreme information security threats flourish. "If people feel stuck in a situation where no available choice will get them out of it, they can start to shut down," says Salmi.
There are ear marks or symptoms that can help an organization to gauge whether its people may have succumbed to learned helplessness. One of those symptoms is apathy. "Your people will exhibit passivity and disengage from their work. They won't put in the discretionary effort that your high performers do," says Salmi. Or, they may intermittently demonstrate lower levels of engagement.
And because misery loves company, affected employees may try to bring others down or look for co-workers who are already afflicted with whom they can share their emotional state. "People with learned helplessness point the finger, give excuses, shift the blame, and procrastinate. They can be more pessimistic, even defensive," says Salmi.
Steven Salmi, PhD, LP, President and CEO, Corporate Psychologists
One security expert has empirical evidence that supports the psychological interpretation. "I hear continuously that breach is inevitable and you simply must assume compromise and that it is not possible to build systems and security that can stop attackers," says Eric Cowperthwaite, Vice President, Advanced Security & Strategy, CORE Security.
Further evidence appears when enterprises buy security breach insurance despite the fact that they don't have a visible security program. "This happens because the organization assumes that breach is inevitable and that they need to try to transfer the risk using insurance," says Cowperthwaite.
Finally, the victim mentality is visible when security leadership wants to immediately focus on stopping the biggest potential threats such as Zero Day Attacks and APTs before addressing basic security. "They assume that the bad guys are so advanced that the organization cannot stop them by doing the basics of security," says Cowperthwaite.
Sign up for CIO Asia eNewsletters.