The human response to cyber crises is not something that can be bought off a shelf and installed over the weekend. On average, it takes 96 days for a human to develop the knowledge, skills and judgment to defend against breaking threats – and that is too long during times of heightened threat.
Immersive Labs provides a platform designed to raise the cyber capabilities of a company’s entire workforce. “We’ve been operational since 2017,” the company told SecurityWeek, “and have collected a weighty amount of data – 2,100 organizations, 500,000 cybersecurity exercises at either our labs or via a crisis simulator looking at 1,500 separate threats or incidents, which could be anything from ransomware to SOC teams looking at specific malware.”
A Cyber Workforce Benchmark 2022 report (PDF) has analyzed the exercises and simulations. The results show that the technology and financial services sectors spend the most time on preparing the workforce for cyber incidents – with other critical infrastructure companies preparing the least.
But what really stands out from the report is that business has yet to learn how to handle ransomware. “Seven out of the top 10 least confidently answered crisis scenarios across the entire platform were focused on this threat,” says Immersive. To a large degree the problem centers on the fundamental question: to pay or not to pay? The predominant preference is to not pay. Eighty-three percent of organizations responding to the report’s questions chose not to pay. Despite this, 18% of government crisis response teams – who are usually ‘instructed’ to not pay – did so.
SecurityWeek spoke to Rebecca McKeown, director of human science at Immersive Labs, and a visiting lecturer in applied psychology at Cranfield university. We wanted to understand the human psychology involved in responding to ransomware and how companies can better prepare the workforce. McKeown has also spent 15 years working on a ministry of defense project looking at learning and development and thinking skills in difficult situations.
“I see a lot of overlap between what the military has done and what it’s like to work in a crisis situation …….