Cybersecurity and Polyvagal Theory

Today’s post is inspired by the book I’m currently reading called “Brain-Body Parenting: How to Stop Managing Behavior and Start Raising Joyful, Resilient Kids”. It’s an excellent book and a must read for any parent or caregiver. I wish I read it earlier, but it’s never too late.

Sense of Safety In Cybersecurity

As security leaders, our job is mainly to keep the company’s data safe. How do we do this? Well, there are a number of ways this is done from a tactical sense, which I won’t go into here.

What I do want to go over is the emotional aspects of the job. Depending on your environment and leadership personality it can be a little hand-wavy, but there are practical aspects as well. Here are a few:

• Board Updates

• All hands presentations and meet & greets

• An accessible and friendly security team via:

  • Excellent written and verbal communication

  • Guides and knowledge sharing

  • Security awareness social activities and games like Hacker Jeopardy

According to Polyvagal Theory, when the ventral branch of the vagal nerve in the parasympathetic system is activated, the brain and body system is in a state ready for social engagement. This includes curiosity and openness. This is considered the “Safety” and relaxation state of the system.

So the takeaway here is to create a culture in your organization where people are open to learning and understanding what you have to offer them in terms of cyber security.

People inherently want to do the right thing for the betterment of the company, but they also have jobs to do of which they were hired to do. In the next few paragraphs we’ll discuss what can threaten the openness of the “safety” state.

Threats to the Sense of Safety in Cybersecurity

Unfortunately there are a lot of counter-productive actions done in our industry that threaten the sense of “safety” of our valued users and employees in an organization.

In Polyvagal Theory, the sympathetic nervous system otherwise known as the “Fight or Flight” mechanism will subvert any sense of safety experienced in the body. This includes key words such as:

• Anxiety

• Worry & Concern

• Irritation

• Fear

What does this have to do with cybersecurity?

Well, in my travels as a security professional, I have experienced many people with a slight form of trauma from security teams that have a legacy or oppositional approach to security. The following activities are examples that would activate the sympathetic (“danger”) nervous system:

• Frequent phishing simulations without warning

  • Note: I have heard of teams rooting to see how many people they can successfully “get” in a phishing exercise.

• Hiding behind policy and not giving exceptions - Inflexibility

• A general lack of “thinking outside the box”

• Non-collaboration

Any or all of these activities will cause an employee to not build “trust” with the security team. If there’s no trust, then they will obviously be less inclined to work with that team or go to them for help.

It may also cause people to “Freeze” or “Shut down”... which leads to the next part of the Theory…

Freeze or Shutdown Response to Cybersecurity

The last part of Polyvagal theory I want to cover is the “Shutdown” or “Dissociation” state of the nervous system.

This is where the system shuts down to reduce the amount of pain experienced. Similar to an animal playing dead, or possibly “ghosting” in modern relationships (workplace or otherwise).

In cybersecurity, this is probably the worst state you want your target audience to be in. This is where no matter what you say, they are not receptive to your advice. In fact it could have the opposite effect.

A practical example is a team going to production without involving security on a deliberate basis. They don’t want to deal with the “headache”, “roadblocks”, or other perceived detriments to their launch.

At that point, you have a security team that’s having an opposite effect than intended!

Cybersecurity - A Systemic View

In neuroscience, discoveries are being every single day about the brain. As such, we need to rethink our assumptions about the brain, the body, psychology, and behavior.

The same is true in Cybersecurity.

Only a few years ago did we realize that our approach towards passwords was an anti-pattern in security.

Organizational psychology, marketing, and other disciplines have been around for awhile. We as leaders need to take a multi-disciplinary approach towards our jobs if we want to achieve our goals of improving and maintaining security.