Relying on Fear, Uncertainty, and Doubt (FUD) as a security strategy lasts only so long before FUD fatigue–the digital version of the boy who cried wolf–comes into play. “The biggest downside to FUD is its overuse,” writes Kerry Ann Anderson in her book The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture. “FUD comes in many variations, such as dubious metrics and Return on Security Investment (ROSI)-based surveys rather than internal data.”
SEE: Intrusion detection policy (Tech Pro Research)
Threat rigidity is next
If security professionals cry wolf too often and/or allocate resources–financial and personnel–to a perceived threat ineffectively, a social-science phenomenon called the Threat-Rigidity Effect comes into play. The Economic Times defines threat rigidity as the following behavior:
“When under threat or in a crisis, companies are inclined to more firmly focus on the one thing they do well (e.g., their core product or service), stop doing other things, and become more hierarchical and top-down in terms of management control.”
In their seminal paper Threat Rigidity Effects in Organizational Behavior: A Multilevel Analysis, coauthors Barry M. Staw, Lance E. Sandelands, and Jane E. Dutton point out:
“Maladaptive cycles are predicted to follow from threats which encompass major environmental changes since prior, well-learned responses are inappropriate under new conditions. In contrast, when a threat does not involve major environmental change (e.g., when no basic causal relationships have been altered), rigidity in response may not be dysfunctional.”
Put simply, threat rigidity is when an organization hunkers down in a defensive mode, which benefits no one if the threat is only imagined. The diagram in Figure A describes the manifestations and actions organizations typically take when dealing with a threat, perceived or real.
The diagram in Figure B, which is also from Staw, Sandelands, and Dutton, depicts the two behavioral consequences first mentioned in Figure A: Intensification of the Threat (increasing rigidity) and Reduction of the Threat (avoiding rigidity). The coauthors feel incremental change is preferred to radical change–where an organization collapses to its core competencies and management hierarchy.
Is threat rigidity for real?
Michael Weeks for his GIAC Gold Certification thesis Threat Rigidity in Cybersecurity surveyed senior members of IT departments and CIOs in an attempt to determine if threat rigidity applies to cybersecurity and, if so, how cybersecurity professionals successfully avoid threat rigidity during cybersecurity incidents.
It seems that threat rigidity is indeed a real and present danger. “When an organization perceives a threat to its existence, the group will respond using the concepts in threat-rigidity theory,” writes Weeks. “There is a constriction in control where leadership will focus resources on dealing with the threat. Also, there is a restriction of information with a focus on preconceived notions and hypotheses.”
SEE: Cyberwar and the future of cyberwarfare (ZDNet special feature)
Proper communications are key
Since threat rigidity occurs when FUD is spread, Weeks suggests that a successful cybersecurity professional will carefully communicate to management how prior incidents were handled and convey new ideas on how to eliminate the current threat. “Any message to a group must contain the minimal amount of critical information needed to support the reaction to a threat,” explains Weeks. “Not only evaluating all data points, messaging also carefully considers how the recipient perceived those data points. Knowing an audience and what preconceived ideas and hypothesis they may bring is central to proper communications, especially in a threat-response scenario.”
Not a trivial skill
Weeks notes in his paper that guiding an organization successfully through a security incident is not a trivial skill, but one cybersecurity professionals must strive to attain. “Ensuring an organization is confident that a cybersecurity professional is managing a response is arguably just as important, if not more so, than implementing a technical control,” Weeks writes, adding it is the only way a cybersecurity professional can maintain his or her credibility.
In conclusion, Weeks suggests, “Cybersecurity professionals would do well to learn to ensure that all responses are adequate, within reason to the threat, and that the reaction is communicated carefully to superiors and the rest of the organization.”
Using this approach, according to Weeks, will help avoid threat rigidity, enable trust between management and the cybersecurity department, and ultimately keep the organization innovative and growing.