• United States



Mary K. Pratt
Contributing writer

Will your incident response team fight or freeze when a cyberattack hits?

Feb 06, 20239 mins
CSO and CISOCyberattacksIncident Response

CISOs train their teams to fight hackers but often overlook the human tendency to freeze up during a crisis. Planning for the psychology of incident response can help prevent a team from seizing up at the wrong moment.

If there’s an intrusion or a ransomware attack on your company, will your security team come out swinging, ready for a real fight? CISOs may feel their staff is always primed with the technical expertise and training they need, but there’s still a chance they might freeze up when the pressure is on, says Bec McKeown, director of human science at cybersecurity training platform Immersive Labs.

“You may have a crisis playbook and crisis policies and you may assume those are the first things you’ll reach for during an incident. But that’s not always the case, because the way your brain works isn’t just fight or flight. It’s fight, flight, or freeze,” she says. “I’ve heard people say, ‘We knew how to respond to a crisis, but we didn’t know what to do when it actually happened.’”

McKeown is a psychologist whose research into high-risk/high-stakes industries has given her perspective on how humans react during crises. Her take isn’t merely theoretical. Security chiefs say they, too, have seen teams become paralyzed when responding to real incidents—including teams that had drilled for such events.

Problems mount when a team freezes

A delay in response, even if it’s only a few hours, can give bad actors more time to inflict damage and extend recovery time. It can also lead to increased response costs, possibly higher regulatory fines, and lost business.

Given the potential for such reactions, McKeown, analysts, and longtime CISOs say security leaders should anticipate that freeze response, incorporate practices to help minimize the chances of it happening, and develop strategies to identify and cope with it if it does indeed occur during an actual security event.

“You have to understand how you’re going to react in these times of crisis. You can develop skills in your people that can make them agile and help them react when they don’t have all the situational awareness. It’s a psychological preparation,” McKeown says.

How and why teams become paralyzed

CISOs shouldn’t be surprised to hear that even well-prepared teams can have moments of paralysis; it’s just human nature, McKeown says.

She says sometimes responders may experience cognitive narrowing, where they’re so focused on the situation directly in front of them that they can’t consider the full circumstances—an experience that can stop responders from thinking as they normally would.

Niel Harper, an enterprise cybersecurity leader who serves as a board director with the governance association ISACA, witnessed a team freeze in response to a ransomware attack on his first day working with a company as an advisor. “They literally did not know what to do, even though they had some experience with [incident response] walkthroughs,” he recalls. “They were in panic mode.”

Harper says he has seen other situations where the response was stymied and thus delayed. In some cases, teams were afraid that they’d be seen as overreacting. In others, they were paralyzed with the fear of being blamed. And in still other incidents there were no team members who had experienced and worked through a real-world event, leaving no one who felt confident to lead. “All those issues, alone or combined, can lead to organizational freeze,” Harper says.

Chris Hughes, an adjunct professor with the School of Cybersecurity & Information Technology at the University of Maryland Global Campus, says he, too, has seen such a situation play out. He was working with a security team in a government agency that identified suspicious traffic, confirmed it as malicious and then—boom—hit a roadblock that stopped them from taking action.

The bystander effect

“It was a little bit of the bystander effect. They were assuming or hoping that a teammate would jump in and take a lead on this thing. And no one really did; no one was stepping up,” Hughes says. It took a senior leader coming in “to jolt them out of their shock.”

On the other hand, experienced security chiefs say sometimes it’s executives who freeze, stuck in the feeling of “this can’t be true” and “this can’t happen to us” before becoming convinced over time that it’s real. “These freeze moments often happen when there’s a lot of fear—fear regarding how bad it is, how much it could hurt [the organization]—and when there’s a lot of uncertainty,” says Ed Skoudis, president of the SANS Technology Institute. “There’s all this information coming in, but teams don’t know what’s real or what’s not and what’s the best way to go. There’s a lot of doubt. And when there’s fear, uncertainty, doubt, or all three, it’s crippling. And it happens a lot, where organizations just don’t know how to proceed.”

Norman Kromberg, CISO of cybersecurity services firm NetSPI, has seen a team “get to a point where things have stopped.” He was a security leader at a company that declared an incident when malicious insider activity had been uncovered. His team had been working “full speed, all hands on deck” for nearly two weeks in response, with law enforcement, forensic experts, accountants, and the cyber insurance company also pitching in. Then his team hit a wall and couldn’t break through; they weren’t making any progress.

“I could hear on the status calls that they were snarly, short with each other,” Kromberg says, explaining that he believed the fatigue and pressure had his team in a holding pattern. “We weren’t able to advance the recovery process.”

How not to freeze

When he saw his team stuck and deduced the reasons why, Kromberg told everyone to go home. “We were at a point where we could take that weekend off, and that included not just our team but the vendors, legal and law enforcement, too. We took the time off and we came back Monday and came back refreshed,” he says, adding that the responders were able to quickly move forward as a result.

He says that experience has taught him to plan for such moments in the future. He and others say CISOs everywhere should do the same, noting that they can incorporate various drills to help minimize the likelihood of teams becoming paralyzed.

First, ensure the basics. “CISOs can take a variety of steps to help prevent teams from going into freeze mode by developing incident response plans, training incident response teams, regularly simulating incidents, encouraging open communication, having a transparent chain of command, and having a precise risk management and incident management strategy,” says Philip Chan, an adjunct professor with the School of Cybersecurity & Information Technology at the University of Maryland Global Campus.

Security experts say CISOs should next examine their drills (which, of course, they should have and run regularly) and add elements that can help their teams better prepare for real events.

Prepare for the unexpected

“Bring up several new things that aren’t in your playbook,” McKeown says. That may mean having a worker deliberately make a wrong move—for example, one which completely shuts down a critical system—during the drill so the team can practice working through the unexpected or a devolving situation. Such practice, McKeown adds, builds agility and teamwork, which can help head off the finger-pointing and arguing that often arise during crises, locking up teams and hindering their ability to move forward fast.

Kromberg says he once held an unannounced drill after a midday Friday holiday party. He was aware hackers know to plan their attacks when corporations may be the most vulnerable, so he wanted his team to practice for such a circumstance. In this case, he says the team had to learn how to quickly shift into high gear and work without key people who had already headed out on vacation.

McKeown, Kromberg, and others say CISOs and their security teams also gain muscle memory by holding practice drills that mirror real events as much as possible. That means starting from the beginning—such as the earliest warnings—and running the scenario through with hands-on simulations (versus a tabletop or walk-through type of training session).

“It’s more palpable when you get hands on keyboards, where you go through the actual motions,” says Hughes, who is also co-founder and CISO of Aquia, a firm specializing in cloud and cybersecurity professional services.

Use a countdown clock during drills

Skoudis says he has used a countdown clock during drills, which also gets teams used to working under the intense pressure they’d feel in an actual incident. “It’s awkward but you want practice being in that place so you’re building that muscle memory,” he says.

Others also advise CISOs to try to involve as many of the enterprise executives, other departments, and outside support that would be working in tandem with security, IT, and incident response to determine whether those additional participants would be the ones to become paralyzed. “You may see other areas where things could freeze up, like if a CEO will [balk] at talking about financial information that’s needed during an incident,” Kromberg says.

CISOs should also consider how in a real crisis they can create channels for workers to bring forward solutions, says Thomas Randall, advisory director at Info-Tech Research Group and its SoftwareReviews division.

Randall notes that science has found humans don’t just respond to crises with flight or flight, they respond with fight, flight, freeze, or fawn (when people become overly helpful)—with the fawn response adding calm and possibly creative solutions to the crisis. “So, make sure colleagues feel comfortable enough to suggest a solution even in a stressful situation,” Randall says.

Allow for creative solutions

Teams may not have a lot of time to contemplate ideas during an actual incident, Randall adds, but it’s nonetheless important to have some conduit for offering and evaluating them on the fly, as those creative solutions may be the ones to lead teams up and over the roadblocks that get them locked up.

Another step CISOs can take to help avoid those freeze-up moments: Hire workers who have experience working through breaches and hacks and/or contract with outside incident response teams who do this work regularly.

Harper says security chiefs shouldn’t underestimate the value of such experience; he says those who have worked through crises develop muscle memory that keeps them calm and let them shepherd others through the stickiest parts that stump inexperienced workers.