The emotional stages of a data breach: How to deal with panic, anger, and guilt

It usually happens on a Friday afternoon, at around 4 or 5 p.m. Admins and security experts receive a message telling them that something weird might be happening, and the quiet afternoon turns into chaos. 

Data breaches and other security incidents tend to stretch the nerves of everyone, from teams trying to fix the issue to key stakeholders. They can all experience a wide range of feelings, including denial in the first moments, followed by sheer panic, anger, anxiety, and sometimes guilt. It’s not uncommon to experience an elevated heart rate, sweating, trembling, or nausea, and these events could even trigger mental health issues.

“I’ve had admins that couldn’t cope and walked out,” says Peter Mackenzie, director of the incident response team at Sophos.

It’s not just them. “These emotions can go viral, spreading throughout the organization,” says Dr. Patrick Stacey, who published a paper on the emotional reactions and coping responses of employees during a cyberattack. As stress builds up, C-level executives and board members tend to become edgy, putting pressure on technology professionals to solve the issue fast.

This kind of pressure never helps, says Michael Sjøberg, a hostage survival and crisis management expert who has worked for the Danish Army and is now a ransomware negotiator. “The more intense the situation seems to be, the more we as humans tend to be reactive and act without thinking,” he says.

How an organization handles a cybersecurity incident can decide its fate, therefore technology professionals and stakeholders need to make the right calls at all times. Remaining calm and collected is essential during a crisis but also even before it starts. The chain of emotion can begin much earlier.

Frustration may appear even before a data breach

Security professionals and admins protecting organizations often feel like Sisyphus rolling a massive boulder up the mountain, only for it to roll down every time. Often, they can’t even make employees follow simple rules like having unique passwords or installing the latest updates.

They also have problems convincing the board that security is essential. Ninety-eight percent of security experts said they lack adequate funding to buy services and equipment and implement the required policies, according to a survey carried out by Lastline during the 2019 RSA Conference. Also, 23% argued that it would take a successful attack against their organization to get executives to offer enough financial support.

While admins and security professionals know what should be done to keep the organization safe, they can’t seem to convince anyone to listen to them. Therefore, there can be “an air of frustration and irritation within the security staff because they’re always being fobbed off,” Dr. Stacey says.

Although they’ve sent plenty of warning signs along the way, when a breach does indeed happen, admins and security staff are the ones who suffer the most. The “I told you so” moment is followed by anxiety, fatigue and sleepless nights.

The chain of emotions post security incident

During an incident, things move very quickly, and technology professionals involved tend to feel a mixture of emotions, including an initial shock followed by denial, guilt, anger, panic, fear or anxiety. “Even though you may have prepared for this, the brain tends to shut down,” Sjøberg says. “The more intense the situation seems to be, the more we as humans tend to be reactive and to act without thinking.”

The first few hours of an incident are chaotic. Mackenzie calls them the “chaos phase.” “You get sheer blind panic, where [people] start ripping out power cables, turning everything off and cutting the internet to the world because they have no idea what to do, other than they must just stop things,” he says.

Some admins and security experts might somatize during those unbearable hours, converting their psychological concerns into physical symptoms. Mackenzie remembers one incident in which a small town in the U.S. was hit with the Conti ransomware. The admin, who was on the phone, said they had backups, but then he went to check them. Mackenzie heard silence for a minute. “Then I heard him throw up in the room,” he says. “The backups were gone, they’d lost all the court systems data or the police records, everything was gone. They had nothing.”

Ripping out power cables and experiencing physical symptoms is a natural reaction to something intense happening. These are all human reactions to being under stress. “It can be hugely devastating to realize that not only have people been on your network, they’ve taken stuff from your network, they’ve destroyed stuff from your network, not just for your business, but customer data or police records, hospital records,” Mackenzie says.

Sjøberg adds that some admins and security experts might feel pressure to fix everything immediately. It’s usually a bad decision. “[Often,] it’s not that they’re doing anything wrong, but some things may be more important than others,” Sjøberg says. Instead of acting, he recommends that they contact the person in charge of crisis management.

The mix of emotions felt during the initial hours of an attack can also include anger, sometimes directed at the security vendor that provided the security tools that were supposed to prevent incidents. Anger can also be directed towards the attacker, particularly if the victim is a hospital, a municipality, or a small shop like a bakery or a florist.

Guilt can also appear, often in relation to negligence. “They realize that they hadn’t been looking at the warning signs,” Mackenzie says. There are always tools that should have been updated or managed better.

Some admins and security professionals can’t cope with the stress. A hospital admin Mackenzie helped disappeared for three days after an incident because he wasn’t prepared for that kind of disaster. Then, he returned and carried on.

Security incidents can have long-term consequences on employees’ mental well-being if stress is not managed correctly. Luckily, psychologists have long been studying ways to help us navigate intense situations, and the U.S. Army also has a few techniques technology professionals could use.

Tactical breathing and slow breathing

As a crisis management expert working, Sjøberg has had his fair share of tense situations. One exercise that has helped him along the way, called tactical breathing or combat breathing, is used by military, firefighters, and law enforcement personnel to reduce stress in dangerous situations.

“When you employ tactical breathing, you breathe in while you count to four, you hold your breath while you count to four, you breathe out while counting to four, and you wait while counting to four,” he says. When doing this exercise, it’s essential to take deep breaths using the diaphragm, Sjøberg adds.

A recent study published by experts at the Department for Military Psychology Research of the German Armed Forces in Bonn showed that tactical breathing might be most effective during passive coping when we expect a difficult or threatening situation, and there is no other option other than to face the stressor.

Meanwhile, during active coping, more simple techniques might work better. Those include prolonged exhalation and slow breathing. Prolonged exhalation means inhaling normally but exhaling slowly, while slow breathing requires having only about six cycles of inhaling-exhaling per minute, as opposed to the normal 12 to 14.

When we breathe slower, we tell our bodies that everything is OK. These techniques appear to adjust the parasympathetic nervous system, which regulates the body’s unconscious actions. Doing these exercises may slow our heart rate, relax our muscles, and decrease blood pressure.

The brain is the body’s most complex organ, and we’re yet to discover how it truly works. Still, a study published in 2017 by Kevin Yackle then at Stanford University School of Medicine and his colleagues showed that mice have a tiny cluster of neurons with multiple functions: They appear to regulate respiratory rhythms and also interact with a region of the brainstem involved in stress and panic, the locus coeruleus. When researchers ablated a few of those neurons, the mice experienced more frequent calm episodes, but they also became less interested in exploring new environments. Other studies have shown that changing the way we breathe might influence the dorsomedial prefrontal cortex and the amygdala, which are involved in the management of stress and negative emotions. Also, controlled breathing might lead to lower cortisol levels.

Cyberattack training and planning

If breathing techniques aren’t your cup of tea, another idea to prevent overwhelming emotions is to prepare for attacks in advance. These exercises should ideally be conducted by someone outside the organization but should include everyone, not just security experts.

“Executive management needs to be involved in at least an annual crisis management workshop,” Sjøberg says. “I’ve seen this so often that the CEO or the CFO end up not wanting to engage in crisis management training because it’s too hard, and they tend to lose during the training sessions.”

To prevent this, the workshop should be about training people on how to use tools, not testing crisis management plans. “You should never train staff where you don’t give them the answers beforehand,” Sjøberg says.

This training could also help admins, security researchers, and stakeholders feel that they did everything they could to prevent an incident, which might ease their guilt. Other strategies for dealing with this emotion are apologizing and making amends, replacing negative self-talk with competitions, and learning from past mistakes.

Exercises like these can help both individuals and organizations become more mature, which will help them react better during events and filter out emotions more efficiently. Plans for potential cyberattacks can also come in handy. “When you have a mature process, a documented way of dealing with a security incident, you can afford to take emotions out because you don’t have to act subjectively,” says Almerindo Graziano, CEO at Cyber Rangers. “These are the rules, this is the best practice, this is what you do.”

Graziano also suggests that the more competitive professionals might benefit from flipping the situation, turning the disaster into an opportunity: “Prove how good you are at stopping the attack or hunting the threat!”

While all these strategies for filtering out emotions could work for admins and security experts, one more category needs to get better at coping with stress: the stakeholders.

Stakeholders influence how a cyberattack unfolds

C-level executives and board members are under pressure during a cybersecurity incident. Their company could lose billions of dollars, and its reputation can also be damaged. During an incident, stakeholders need to face angry clients whose personal data has been posted online and business partners affected by the attack.

Generally, there are two types of stakeholders: those who get angry during critical times and pressure the security experts to fix the issue, and those who show empathy and compassion, providing support to those working on getting everything back on track.

Needless to say, the angry stakeholders make things worse. They need to take a step back, understanding that they are “probably the most incompetent persons in the room,” Sjøberg says.

Mackenzie adds that security experts might miss things if they must act in a hurry. “When that kind of pressure gets put on, mistakes are made because [security experts] tend to focus on recovery more than forensics,” he says. “You need to understand how the attack happened not just so you can make improvements on your security going forward, but also to make sure the attackers aren’t still in your network.”

By contrast, supportive management can help solve the crisis. Dr. Stacey recommends C-level executives ask the team what things they could do to support their effort. “It’s important for senior management to exercise this sort of empathy because emotions can pull people down; they can also elevate them and motivate,” he says. “It’s a matter of trying to manage the system and manage people in a way that we can always flip it into a positive drive rather than a reverse gear.”

His Ph.D. student Omotolani Olowosule adds that the critical phase of a security incident is not the time for the “blame game” and that organizations should support their employees. When admins and security experts don’t feel they need to protect their reputations and have the confidence that whatever happens, they are not left alone to deal with it, they manage to come up with innovative ways to fix the problem.

“Emotion doesn’t walk on its own,” Olowosule says. “I would react positively if I am in a very comfortable environment where my opinions are valued. Fine, I’ve messed up, I’ve probably done something really bad to the company, but it doesn’t mean I’m going to have to take the blame alone.”

However, calming an angry C-level executive is more complicated than helping a security engineer relax.

Calming CxOs during a cybersecurity event

During the intense moments of a data breach, outside consultants spend large chunks of time calming down nervous executives. “We almost have to take on the role of being that shoulder to cry on to some degree to kind of help them navigate all these feelings,” says John Prieto, incident response consultant at Mandiant and former cyber warfare operator within the U.S. Air Force.

He says that communication and transparency are crucial because everybody wants a progress bar on the investigation. “Be outright in saying: These are the things that we’ve seen evidence of, these are the things that we have not seen evidence of, and just kind of letting the evidence do the talking,” he says.

Prieto adds that every person ingests information in different ways. Some people are very hands-on, while some like to get written or verbal reports, so he tries to incorporate all forms of communication. However, he says that spending a lot of time talking means working less on fixing the issue.

With this information in hand, an outside consultant can be more efficient in calming down an angry manager, Sjøberg says. He often takes the executive outside the meeting room, doing anti-stress debriefing and telling them how things can get back on track.

Enabling everyone to be calm is critical in dangerous situations. “We can put all the tools that we want in the world in place, but unless the person has the resilience to employ them, it’s still going to be very difficult to get the results,” Dr. Stacey says.