"In my experience, more than 90 percent of all intrusions, incidents, and breaches occur because the organization didn't take care of the basics," says Cowperthwaite. For example, the organization did not apply patches, did not harden systems, did not keep firewalls up to date, and did not have a security leader at the executive level who was directly accountable to senior leadership.
There are many enterprise environments where people have a lot of responsibility and information security threats target data they have responsibility for. Even if they try to anticipate the next attack, they really have no idea who is going to launch it or when or how. "If you feel like you have a lot of responsibility in a high stakes environment but very little control to effect a meaningful change, that's going to create learned helplessness," says Salmi.
Learned helplessness can also come about when a low level manager is in charge of security and has no business visibility to aid him. "This leaves the impression that the organization does not care about proper information security and they are not going to implement basic security measures to keep the enterprise secure," says Cowperthwaite. The victim mentality arises here because security leadership knows what resources they need in order to secure their systems but they don't feel that their business cares enough to provide it.
Too much negative security news can also be defeating. "We have been beat to death by media stories about breaches. Every time we turn around someone else is being hacked. That misleads people to believe that anyone can fall victim. But as we dig into these breaches, it turns out that the enterprise didn't do something basic like patch a test server, which an attacker used to break into the network," says Cowperthwaite.
Preventing learned helplessness
To prevent learned helplessness or reclaim people who suffer from it, it's important to foster resilience in people over time, to support and enhance their ability to recover from failure, to be a long-distance runner, and to adjust and come back to a challenge with a new way of thinking and additional resources. The enterprise should always be building a more resilient team. "You can start by hiring people who are more likely to be resilient," says Salmi.
To support an empowered and resilient team, test and prove the theory that when basic security measures are consistently applied, these can make it harder for the relatively rare attacks of APTs, Zero-Day Exploits, and Nation States to succeed. "Organizations need to stop worrying about APTs and Zero-Day exploits," says Cowperthwaite, "and start patching vulnerabilities that they've known about for years."
Sign up for Computerworld eNewsletters.