Emergency responders practice continually so that their response during a crisis is inherent and automatic. This approach is also used by many cybersecurity teams, and with good reason: In an emergency, time to think, gather information, and consider all options is limited. Practice builds in an element of unconscious response, along with the ability to be guided by intuition.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
This approach is based on a school of thought called naturalistic decision-making (NDM) and has changed many crisis outcomes for the better. There is a challenge though: What if the responder is confronted with a new situation?
“While NDM has some benefits, research also shows that intuition can lead to crisis responders doing something without knowing why,” said psychologist Rebecca McKeown in her Immersive Labs article The Psychology of Cyber: Why thinking on your feet is critical to cyber crisis response. “In new situations with complex never-before-seen variables, an intuitive and gut-feel response could therefore be incorrect.”
What are “wicked problems”?
McKeown’s focus is the cybersecurity space, where wicked problems are the norm. A wicked problem is one that’s: “difficult or impossible to solve because of incomplete, contradictory, and changing requirements that are often difficult to recognize. It refers to an idea or problem where there is no single solution; and ‘wicked’ denotes resistance to resolution, rather than evil.”
SEE: Cybercriminals use psychology–cybersecurity pros should, too (TechRepublic)
McKeown quoted British General Nicholas Houghton, as saying, “This does not mean they (wicked problems) are unsolvable, but the approach must be open-minded, agile, flexible, and adaptable to work through the complexities.”
What is cognitive agility?
Research, McKeown said, has identified a new cognitive agility approach that, through agile, adaptive thinking, will go a long way to improve the odds against heretofore unseen adversarial encounters.
“Cognitive agility reflects the capacity of an individual to easily move back and forth between openness and focus,” said Jared Ross, Lucas Miller, and Patricia A. Deuster in their National Library of Medicine article, Cognitive Agility as a Factor in Human Performance Optimization. “Cognitive agility training (CAT) has the potential to increase emotional intelligence by improving an individual’s ability to toggle between highly focused states to levels of broad, outward awareness, which should enable dynamic decision-making and enhance personal communication skills.”
SEE: Don’t make these cyber resiliency mistakes (TechRepublic)
To translate that to cybersecurity, McKeown suggested employing CAT can only enhance current methodology used by cybersecurity responders. “To do this, organizations must focus on continual personal development,” she said. “Only by frequently running simulations can these people become self-aware enough to understand how their thoughts, decisions, and actions impact performance.
“By developing this kind of cognitive agility, cyber-response teams will get the best of both worlds. This means developing tried-and-tested skills while being self-aware enough to trust their subconscious, intuitive reactions in the context of the situation in front of them.”
What are the elements of cognitive agility?
In her next article in the series about cognitive agility, The Psychology of Cyber: Understanding cognitive agility as a fix for the ‘wicked problem’ of cyber crises, McKeown defined the core concepts that each cybersecurity responder needs to incorporate. She first injected some advice: Those responsible for a company’s cybersecurity must consider CAT as building on and not replacing their current way of doing things. With that understood, the focus moves to the following core concepts:
Flexibility: Being able to consciously control one’s thinking, switch between concepts, and consider multiple views of the crisis as it unfolds is essential. “By considering the context of a situation, incident responders learn to challenge automatic responses that might be incorrect,” McKeown added. “In a cyber crisis, this could be ensuring that overall business risk is a part of decision-making as opposed to simply pursuing technical goals.”
SEE: Looking for cybersecurity experts? Consider hiring veterans (TechRepublic)
Openness: Cybersecurity events are complex, and those responding need to be open to ideas and how the stakeholders view the situation as it unfolds. “In psychological terms, not doing so could cause them to fall foul of the Dunning-Kruger effect,” she said. “This cognitive bias leads people to believe they have all the answers, which ends with flawed solutions becoming embedded into the crisis from the very beginning.”
Focus: This is likely the most important of the three concepts. The ability to focus on what’s relevant and ignore distractions is an acquired skill we all think we have, but likely do not. McKeown mentions, “Deluged with a combination of technical data, reputational analysis, and legal advice; effective incident responders are those with the ability to home in on what is important.”
Why does cognitive agility work?
Cybersecurity professionals know what now exists is not working and are willing to look at soft skills to improve their success rate. Psychologists like McKeown have ideas on how to help.
“Cybersecurity presents an interesting new domain for the psychology of crisis response as it requires a higher cognitive workload than many traditional situations,” McKeown said. “Developing these softer skills could have a powerful cumulative effect on crisis response in this complex hybrid area. In a space which is often defined by machine-on-machine attacks, it is ironic that the human element might give defenders the edge.”
It seems worth a try.