Shame and Cybersecurity: Creating a Safe Space in Your Organization
“Say ‘Ta,’” said Mamma Bear.
“Ta,” said Baby Bear. He then dropped the mug of blackcurrant juice by accident.
“What have you done?” exclaimed Daddy Bear. “The carpet is RUINED!!”
Baby Bear felt a great sense of something disturbing, and this wasn’t a thousand voices suddenly being silenced. This was much deeper. This hurt, and Daddy Bear’s face was angry, disappointed. He was panicking about some purple stuff on the carpet. It didn’t make sense, and so Baby Bear could do only one thing. He swallowed the feeling as something he did, he was, and he ‘caused.’
This was shame. This was a bad feeling in the truest sense of the word. It was horrid.
In transactional analysis, this is known as an injunction. A message swallowed whole without question. In psychology, this becomes a knowing of oneself akin to an autobiographical memory recalled in an area of the brain that is now known to be called the Default Mode Network (DMN). What we also know is that this feeling is elicited from the lower regions of the brain when the salient cause is similar to the event described above. If it feels like “I did that, I messed up,” it’s followed by SHAME.
Shame and Cybersecurity
So, what does this have to do with cybersecurity? Why would this piece of knowledge be helpful to a manager, mentor, staff, and anyone else working around information security, governance, and protection? And of course, as the reader of this, I suspect you are putting key concepts together from the above about the end users that you work with, need to educate, and of course spend time with on the shop floor.
Shame is a key driver in cybersecurity attacks, and it’s also a key driver in the conversations we have with one another in a workplace and at home. It is the reason that an end user, also known as a person with feelings (which includes shame), may click a link, not do something they are supposed to, and more importantly for this explanation not speak out when they make a mistake. This is the reason the ‘oopsie’ gets brushed aside, under the carpet, or conveniently forgotten about.
It is not malicious behavior by a person but one of the most deep-rooted feelings we try to avoid as human beings. I often see cyber professionals talk about cyberpsychology, touching upon the periphery of human behavior in their talks, and sometimes focusing on the feeling of fear, which is correct in some circumstances. However, the feeling that drives 99% of humans into certain behaviors is shame avoidance. This looks like fear on the surface, and it is why many cybersecurity professionals talk to this (or should be using it as a starting block). Shame avoidance is deeply rooted in trauma, but it is also a deeply rooted behavior that we all know.
Even dogs exhibit apparent shame. I’m sure you have seen many a viral video or meme, or you may even own a dog and have a visual recall of what posture the animal takes when it has been caught after *insert destructive behavior.* The tail tucks under, the ears fold back, and the dog cowers. The dog owner anthropomorphizes the behavior and says something like, “Yeah, you better be sorry.” However, dogs are not “saying sorry” but using a well-established behavior of submission, as they have picked up on the energy of you losing your patience after they have eaten the sofa, destroyed cushions, or pooped in the kitchen in a dirty protest.
So, if dogs exhibit this, (Who knows if they feel it? It’s not like we can give them a questionnaire.) and if Baby Bear from the story above feels this, how do you expect to know what the end users’ experience of shame is? Do you know what kind of upbringing they had as a small person under the age of 3 or 7 when this behavior is internalized? What is their sensitivity level to shame, and how far are they willing to go to avoid shame? What kind of environment do you create in work where mistakes, “oopsies,” or “boo boos” are tolerated? Specifically, how do you deal with shame?
Dealing with Shame
Do you create a psychometric test to assess potential employees on these issues? (This is often a quick fix, gut response.) If so, do you think they would tell the truth? What would this be like if a colleague, a member of the staff, or end user lost a million pounds through a phishing attack? Would there still be a welcome party?
So, how do you create a shame-free zone in your business? What kind of things can you do?
What works in psychotherapy and beyond are empathy, compassion, and kindness. Along with that, learn how to have interpersonal relationships with your staff—relationships that are about listening, learning, and supporting them. Reciprocal self-disclosure is also helpful. This means learning about human behavior in depth, and not just through surface-level personality tests, psychometric scoring, and assessments with Likert scales. For example, on a scale of 1-10, how are you finding the cleanliness of the office? This means learning about your staff on a one-to-one level, both objectively and subjectively. Developing skills to do this may be beyond the generic and means that you need to create that space for your staff at every level.
Learning about your staff subjectively means you must approach each person as a unique individual. We need to understand each person has an influential past in the here and now. The reason for this is we all have psychological baggage that gets in the way of our day-to-day business work, and it can often drive mistakes because our mind is not on the job. Shame is just that; it is the monster that lives in us and can lead to feelings of unworthiness, badness, hopelessness, and of course uselessness. The way to fight this behemoth is to be the member of staff who cares, does not judge, and knows that life gets in the way of the simplest tasks. If you want your staff to come to you when they “oopsie,” you should be willing to share that you too also have flaws and that you also make mistakes.
Be kind. Be human. Be real.
About the Author: Cath Knibbs is a tech geek, gamer (of sorts), tech/gaming therapist, and a cybertrauma and trauma psychotherapist who uses biofeedback/tech and gaming to elicit Post Traumatic Growth, healing, and flow. She is a functional health and nutrigenomics practitioner and incorporates this into her psychotherapy practice, too. Her model is Interpersonal Neurobiology with an emphasis on Polyvagal theory (not a vagal nerve ‘hacker’). Her recently published book is available for pre-order. The book focuses on the ‘why’ we do what we do in cyberspace and how to help children, young people ,and adults. She is a disruptor, advocate for children’s rights, privacy, and digital explorations online. She also educates therapists via her company Privacy4 about Data protection/privacy/cybersecurity issues in relation to their practice. She is also a Director and mental health advisor for Gamersbeatcancer CIC.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.