The Psychology of Cyber: How to build cognitive agility with micro-drilling

This is the third post in a series by psychologist Rebecca McKeown, a specialist focused on improving human response in pressurized situations. She is a visiting lecturer at Cranfield University, and works with the Ministry of Defence, helping the armed forces build more agile human assets.   In my previous posts, I introduced cognitive agility,…

This is the third post in a series by psychologist Rebecca McKeown, a specialist focused on improving human response in pressurized situations. She is a visiting lecturer at Cranfield University, and works with the Ministry of Defence, helping the armed forces build more agile human assets.  

In my previous posts, I introduced cognitive agility, why it is an important skill for crisis response teams, and the elements involved in developing it

To the average CISO, however, it might seem a little conceptual. So how can security teams actively embed cognitive agility into their incident response teams for better crisis outcomes?   

Outside of the cyber domain, research has identified the following elements as important techniques for building cognitive agility:

1. Run more simulations

While it’s no surprise to senior security leaders that they need to run simulations, developing cognitive agility requires a higher frequency than the annual tabletop exercise. This is for three reasons:

  1. Skills acquisition is an iterative process requiring several steps. Initially, people develop surface level knowledge and eventually graduate to more advanced skills such as attributing reason to an attacker’s actions. This, however, takes time to embed in the human psyche.
  2. If new skills aren’t used often, they fade fast. We become less adept and our competence degrades very quickly, so frequency of training is incredibly important.
  3. Finally, when they startdeveloping cognitive agility, people will begin to consciously make connections from previous experiences and apply them to crisis situations.  Essentially, you help people ‘pre-plan’ and understand the consequences of decisions before they’re made in a live environment. 

Outcome for CISOs: The greater the volume of crisis simulations a person goes through, the better their bank of experience is, meaning they have more to draw from and become more adaptable. Once every two months as an absolute minimum. For this reason, the annual crisis training exercise may not be enough.

2. Run a greater variety of simulations

Introduce counterfactual thinking into crisis simulations by teaching people to ask ‘what if?’ at certain waypoints. By exploring alternative hypotheses, you encourage them to change the way they approach the next. For example, by asking for different datasets upfront or discarding irrelevant information and opinions earlier on in the crisis.   

Outcome for CISOs: Running a variety of simulations lets cyber response teams ask a broader range of ‘what if’ questions to themselves and their teams. In addition, build a mechanism into each scenario to allow people to discuss ‘what if’ after the event, even if it is just 15 minutes or so.    

3. Analyse simulation data to spot patterns

Comparing the outcomes of many different crisis simulations over time will allow for patterns to be identified where certain behaviours caused particular outcomes. This will encourage people to make decisions based on data, as opposed to intuition. 

Outcomes for CISOs: Ensure crisis simulations are tracked with easily quantifiable metrics tagged to each decision, so participants can understand outcomes clearly.

How this fits into micro-drilling

Micro-drilling is a new approach being taken by progressive security leaders to overcome the limitations of less frequent, meeting-room based table-top exercises. Instead, it prescribes a series of rapid, short, regular crisis simulations, typically delivered through a browser.  

This new approach lends itself to developing the three elements of cognitive agility, as outlined above.

Without having to collect stakeholders in a physical location, and only being run for an hour or so, micro-drilling allows for a greater cadence of training as it is less burdensome. This leads to the kind of continual acquisition of cyber crisis response skills that allows them to embed deeper than before.

Training in shorter bursts also makes a greater variety of scenarios possible. By encouraging teams to run more variations, it develops the counterfactual thinking crucial in helping incident responders to explore alternative hypotheses – ensuring they approach the next crisis better prepared.   

With micro-drilling capable of collecting data on the performance of each decision, they also provide a valuable feedback loop for teams looking to spot patterns to help them improve decision-making.    

Everything considered, micro-drilling is well-positioned to help develop cognitive thinking in crisis response teams. It will be interesting to see whether it is truly able to fix the ‘wicked problem’ of cyber crises.

For more information on how to run micro-drills, schedule a demonstration of Crisis Simulator.

PUBLISHED

17 December 2020

Rebecca McKeown
Chartered Psychologist

We help businesses to increase and evidence human capability in every part of cybersecurity.