The Subtle Sabotage Of Blame In Cybersecurity & Online Safety

A SCARS? Insight by Tim McGuinness, Ph.D.

We all do it, we all blame someone for something.

Sometimes it is justified, sometimes there is cause, and it is very hard to remove it from your vocabulary - but it is always destructive.

I recently heard a cybersecurity training professional tell a story about motivating a corporate team to do better with cybersecurity. It was something to the effect that they needed to learn the material because "You don't want to be the one that lets a breach happen!"

Now think about that for a moment and let those words sink in. That is not motivation, it is blame - blaming in advance! Letting those people know that there will be blame in the event of a mistake or an incident. What would be your reaction if someone said that to you?

Yet, if we are honest, that is the way most of us talk to our children or were talked to by our parents too. This is where we learn our blaming approach to life - it starts as children - being told that we will be to blame if we do something wrong. It wires itself into our brain and without even realizing it we perpetuate it for the rest of our life - in our personal life, with our family and friends, and in the workplace.

I myself have been very guilty of this and until I started seriously focusing on victims' assistance (cybercrime victims) I did not realize the extent that I myself used it too.

When you try to help traumatized people recover from deep manipulative cyber-enabled crime you begin to develop an understanding of how language can affect them, and how you have to modify the tonality of your language to help them. But as I and the organization I am a part of [SCARS www.AgainstScams.org] has more fully explored the trauma of victims, we realized that overcoming blame was not limited only to victims. In fact, it appears that "Pre-Blame" is one of the contributors to the self-blame and shame that victims of cybercrime feel after the event.

Almost everyone that experiences a cybercrime - especially those based upon social engineering and manipulation - experience some shame after the event. This shame will prevent the victim from reporting the crime, fully accepting it, and prevent them from sharing the experience with friends, family, or co-workers. This sense of shame even appears to increase the longer it is maintained. That is to say, the longer the secret is kept the harder it is to tell it.

When looking at this problem of "Pre-Blame" or "Set-up Blame" in the corporate context we see this tendency to try to reinforce the importance of cybersecurity by setting up a sense of dread in the team members so that they will "stay on their toes." Except that we see that it has the opposite effect. That sense of dread not only creates fear of making a mistake which can inhibit critical, logical, and solution-oriented thinking that would make it difficult for someone to mitigate an incident but can cause paralysis after the realization that it was their fault.

As we teach - there are THREE STAGES in a cyberattack or cybercrime:

1. The Attack - the actions that create or exploit a vulnerability - either of a system or a human. These are the actions perpetrated by the attacker.
2. The Defense - the critical actions that need to be taken to stop an attack and mitigate its immediate impact.
3. The Recovery - this is actually the step most overlooked in the cybersecurity profession and by victims themselves. It deals with the postmortem of the attack, but also helps humans to understand their roles without blame and to recover from the inevitable trauma that came from that experience.

Trauma is an inevitable part of the cybercrime experience just like it is in any form of violence - and make no mistake - cybercrime is violence - no doubt about it. As Interpol says "Online Crime Is Real Crime!"

Yet, so often in the corporate or family context, we set up the blame in advance, and when the incident occurs we already know who and how to blame like a coiled snake ready to leap. The impact of this is not just a sense of guilt or shame by the individual involved, even if it was a mistake that anyone would make, but it also sabotages the recovery after the incident and sabotages the further hardening of the environment that will be necessary for everyone's future security.

Consider that when you set up your teams with an advance understanding that there will be blame, the following occurs:

• Everyone develops a sense of dread, in some cases, it can almost become a phobia about using technology - the fear that they will break something.
• The team will be less likely to work together on problems for fear that someone else will discover how little they know (or they think).
• In the event of an incident, people are reluctant to ask for help that could reduce the impact.
• If an event does occur the team members will be more likely to cover up the incident and not ask for help to prevent future attacks because they expect to be blamed.
• Each team member believes that when it hits the fan they are on their own.

This is not hypothesis, this is how humans are wired.

When people believe they are at fault they will blame themselves and the same negative effects will still apply. In studying this phenomenon we have found that most victims will not recover from this. About a third will develop various forms of denial. Another third will express their self-blame or shame through anger or aggression. We find that only about one third are sufficiently realists to accept that the event happened and can work through the trauma and let go of the blame or shame associated with it.

The result is certainly not something that any organization wants to instill in their teams or wants to be sustained after an incident. And the irony is that much of it is self-created by the simple way that trainers and managers use blame to try to motivate their people instead of developing the essential cooperation that defends and repels attacks, and more importantly, since all defenses will ultimately fail, to develop the recovery processes and mind-set that get everyone back working as a team.

Almost every organization understands the impact on their workforce when there is violence affecting their team - HR departments know how to refer to or bring in trauma counselors when there is an assault, domestic abuse, harassment, etc. But cybercrimes also leave people traumatized, especially if it was a person's own mistake that caused it or they believe it was their fault.

A recent trend around the world is to even litigate against an employee that makes a mistake. Imagine the pressure that everyone is under when that is on the table. Especially when the fact is that everyone makes mistakes, every security fails, and even the best training overlooks something.

Cybercriminals are smarter than your team. They will get through, count on it.

But how you come out the other side is a direct function of how you prepare your team to be motivated to act and how you support them after an incident. Get that wrong and you will remain broken.

Video Link: https://youtu.be/RZWf2_2L2v8

You Need Help!

We are SCARS and we can help, even if you are a corporation that needs help teaching the teachers. You are welcome to contact us about how our smart people can help your smart people become even smarter!

You can reach us for training and consulting support at: [email protected]

By the way, if you would like to help us to help scam victims? Please visit: https://donate.AgainstScams.org

If You Are A Victim Of Cybercrime We Can Help!

We are SCARS and we support scam victims worldwide!

If you are a new victim, this is your starting point https://romancescamsnow.com/for-new-scam-victims/

• TO LEARN MORE ABOUT SCAMS: www.RomanceScamsNOW.com
• EN ESPA?OL: www.ContraEstafas.org
• TO HEAL: www.ScamVictimSupport.org

We have full translation for most languages on all of our SCARS Websites

If you are looking for local trauma counselors please visit https://www.psychologytoday.com/us/therapists/trauma-and-ptsd

We are a government registered incorporated online crime victims' assistance & crime prevention nonprofit organization based in Miami, Florida, U.S.A.

We are here to help!

Copyright ? 2020 Society of Citizens Against Relationship Scams Inc. [BDA "SCARS"] www.AgainstScams.org