Developing a Strategic Cybersecurity Training Program Let’s Get Smarter Post # 2

Understanding the Comfort Zone

A comfort zone is a type of mental conditioning (mindset[1]) that causes a person to create and operate within mental boundaries. These boundaries are most often the source of an unfounded sense of security where apathy and complacency are common. It is where organizations and each member of the workforce traditionally spend most of their time and is characterized by the boring, regular tasks performed satisfactorily each day. This leads to a feeling of safety and being in control, when, in fact, there is a lack of situational awareness that results in being unprepared to detect anomalous behavior, and failing to be equipped to respond in accordance with the security leader’s intent.?

In cybersecurity, the environment includes the working environment of the individual’s role within the organization, its performance within the enterprise operating environment of the organization, and, of equal importance, the performance of the desired security behavior. In the comfort zone, the organization’s primary focus often is meeting their respective industry’s regulatory requirements. Consequently, the training, preparation, and testing of desired security behavior is minimal, fails to address the behavior aspects associated with human nature, and often is the primary factor that leads to the individual failing to attain the level of desired security behavior performance.

In today’s cyberwar environment, people are numb to the security events occurring around them due to the mindset that has been developed by the repetitive execution of the same tasks day after day. Within the comfort zone, there is not much incentive for people to reach new heights of security behavior performance. They execute their daily routines, on a performance plateau, devoid of concern related to the risk associated with their security behavior.

Judith Bardwick, in her 1991 book, “Danger in the Comfort Zone” defined this mindset as causing an organization or person to remain in this comfort zone behavioral state as one within which the person or organization operates in an anxiety neutral condition, using a limited set of behaviors to deliver a steady level of performance. Subsequently, they operate with a false sense of security and safety that produces complacency. When you are complacent in cybersecurity, your state of mind is conducive to a successful intrusion effort by a cyber criminal.

If we are complacent, such as we often are in our comfort zone, the principle of human nature that causes us to be creatures of habit often leads to our developing normalcy biases that cause a person to ignore abnormal behavior within their ‘comfort zone’ environment. This bias towards the ‘status quo’ creates a mindset perspective, for the individual, that since nothing has happened when I behave in this way, nothing is likely to happen. Such a bias becomes a form of distraction that is so engaging that it blocks all other stimulus in our environment. It is a reasonable assumption then, that such a block is a significant contributor to the human error, often attributed to a lack of situational awareness that has been identified as a primary cause of a successful breach attempt.

When individuals operate predominantly within their comfort zones, several human limitations can become entrenched, potentially increasing the likelihood of human error. Here are some ways this occurs if an individual and/or an organization predominantly operates in the comfort zone:

-????????? Comfort zones often involve familiar tasks and routines, which can lead to stagnation in skill development and knowledge acquisition. Without continuous learning and challenge, individuals may not keep pace with evolving threats and technologies in fields like cyber defense.

-????????? Operating within a comfort zone can reinforce existing cognitive biases, as individuals may seek information that confirms their beliefs and ignore conflicting data.

-????????? Comfort zones can lead to complacency, where individuals stop questioning the status quo and fail to anticipate or recognize potential issues.

-????????? Familiarity with routine tasks can breed overconfidence, leading individuals to underestimate risks or overlook potential errors.

-????????? Comfort zones can create resistance to change and innovation, as individuals may prefer familiar methods over new, potentially more effective ones.

-????????? Operating solely within a comfort zone can leave individuals ill-prepared for unexpected situations or crises, where adaptability and quick thinking are crucial.

-????????? Comfort zones can lead to siloed thinking, where individuals or teams do not collaborate effectively or consider input from others.

Real growth never happens in the comfort zone resulting in the individual being no threat to the enemy and, conversely, but, becoming a threat to their own safety, security, and the viability of the organization’s cyber defense plan!

In the next post, we will examine how to assess the current state of cybersecurity training in your organization.

As a note, Steve King frequently chastised me for being so verbose and stressed that I needed to be shorter as “people do not have time to read long articles.” While I understand the need for brevity, ?my career in sales has causes me, as are most sales people, to say something in 1000 words that someone like Steve could say in 100. On that note, and my continued failing to be brief, I will write more posts than originally planned as a way to be brief!

[1] A mindset provides a person’s perspective on any subject and is the product of the individual’s formal education, experience in the use of that knowledge, and operating in an environment according to the habitual behavior they and their peers have developed.

#training #securityperformance #journey #mindset #mentaltoughness #culture

?