Emotional Health of Incident Responders

I was prompted by some colleagues to look into the psychological impact of the stress related to handling cyber incidents. Organizations and staff experience many of the same impacts found in the the stages of grief or the stages of acceptance, e.g., Denial, Anger, Bargaining, Depression, Acceptance. The question, then, is what tooling exists that organizations could leverage to mitigate the negative impacts?

I have done some digging into concepts and tools that could potentially be used to create a framework for organizations to deal with the psychological impacts of cyber incidents. An associate, Dr. Amy Grubb of the University of Gloucestershire, suggested several potential ideas. Two that are used in serious trauma scenarios include the ‘Trauma Risk Management (TRiM)’ and the ‘Critical Incident Stress Management (CISM)’.

Developed for the UK Armed Foreces, TRiM is peer-based where people are identified to provide support for stressful experiences. A person can get specialized training to understand the effects of traumatic events can have on people, called ‘TRiM practitioners’. They aren’t medical personnel but have training to understand confidentiality and offer practical advise and assistance. There exists training that lasts a few days for this.

To modify Trauma Risk Management (TRiM) for cybersecurity teams, it could be potentially tailored to address the unique stressors of cyber incidents, such as the intense pressure of responding to breaches or handing the instinct to deny it, and the potential for significant organizational impact. Training could focus on recognizing psychological distress specific to cyber contexts, such as anxiety from constant threat exposure or guilt and anger over perceived failures. Support mechanisms could include debriefing sessions that focus on emotional and psychological experiences of cyber incidents, alongside regular monitoring and peer support for resilience building. This adaptation could acknowledge the distinct environment and challenges faced by cybersecurity professionals, promoting psychological well-being and operational effectiveness in the aftermath of cyber incidents.

The second tool is the CISM, which has a defined 7 phases which a ‘debriefing’ would follow. These stages include:

1. The Assessment Phase. Leaders review the specific incident details to ensure the meeting covers key details and expected outcomes.
2. The Fact Phase. Those involved in the incident can share their accounting of events from their perspective. Key here it to outline faces of the events and avoid emotions. 
3. The Thought Phase. Here is where participants can fully express feelings and emotions around the incident. Group validation of these emotions is critical.
4. The Reaction Phase. The group then reviews in impacts of the incident, encourages to identify the worst aspects of the event.
5. The Symptom Phase. The group can express key aspect they are experiences, like emotional, behavior and cognitive impacts.
6. The Teaching Phase. Facilitators help the group understand their reactions and provide stress management and self-care tools.
7. The Re-entry Phase. The leaders reenter the discussion to summary details, field questions and lessons learned. They also can provide next steps for remediation of gaps that led to the incident, ensure to include what led to the negative emotional impacts.

To modify CISM for cybersecurity teams, it would be essential to tailor the approach to the specific stressors and experiences of these teams. This can involve integrating cyber-specific scenarios into training and debriefing sessions, focusing on the psychological impacts; shock, anger, feelings of broken trust, failed expectations, etc… Training for CISM team members could include understanding the unique pressures and challenges faced in the cyber domain. Additionally, developing protocols for immediate and ongoing support can help manage the continuous and often hidden stresses of cyber operations, promoting resilience and effective coping strategies within these specialized teams.

Perhaps these two tools, or something similar, could be integrated into security operations after-action reviews.

This would be potentially helpful for organization to self-treat impacts. From the perspective of incident responders and consultants handling these stressful situations, it is likely that recognition of the negative emotions and cognitive dissonance that stems from pre-incident beliefs and the realities of post-incident response could help restore trust and atmosphere of positive collaboration.

Additional research should be conducted to test and refine the concepts