Are you prepared to handle the emotional toll of a cyber attack?

Your business has just experienced a cyber attack. Panic sets in, and you're scrambling to figure out what to do next. You realize that your executive team isn't aligned, and there's a lack of communication with both internal and external stakeholders. The business disruption is real, and employees don't know what to do.

At times like these, the power of emotional intelligence cannot be overstated.

Emotional intelligence is about understanding and managing emotions - both your own and those of others. And in a cyber attack, emotions often run high due to the immediate pressure of damage control.

Leaders with high emotional intelligence are able to stay calm under pressure and make sound decisions. They can connect with their employees on a human level, providing reassurance and support. And they can communicate effectively with their stakeholders, maintaining trust and credibility.

So, how can you build emotional intelligence into your cyber incident management plan?

First, identify your own and your team's emotional intelligence levels. Identify strengths and weaknesses and work on developing the skills needed to lead effectively in a crisis.

Making emotional intelligence a key part of your cyber incident management plan is essential in facing today's digitalization challenges. Develop protocols for managing emotions during a cyber incident simulation, and ensure that everyone on your team is trained and prepared both at the technical and emotional level.

When an incident occurs, the emotional intelligence toolkit empowers and equips people with the right tools to work seamlessly and resiliently together, without making them feel insecure.

You can start sleeping at night knowing your team knows what to do when it comes to navigating the human factor of cyber incidents as a prevention strategy.

Cyber incidents are inevitable in the end. However, emotional intelligence helps manage them effectively. The ability to lead your team with strength, compassion, and resilience can be achieved by building emotional intelligence into your cyber incident management strategy.

In this blog, I explore how emotions can enhance cyber resilience within a human factor by examining the case study of what might have driven Uber's former CISO's decision-making process during the 2016 data breach cover-up.

The Power of Emotional Intelligence in Damage Control

The lack of reporting on cyber attacks by businesses does not help in developing resilience strategies based on actual data and insights. Part of this phenomenon can be explained through the lens of emotional intelligence.

Building resilient cyber cultures within organizations requires emotional intelligence (EQ) to address the human factor at a practical level. The EQ-i 2.0 provides a comprehensive framework for assessing and developing EQ in individuals and teams. People with higher EQ levels are better able to manage their own emotions and respond to the emotions of others, which contributes to a more positive and productive cyber culture.

Emotional intelligence includes self-awareness, which involves understanding one's own emotions and how they impact behavior. Building cyber resilience should involve recognizing when emotions, such as fear or anxiety, are influencing decision-making, and learning to manage those emotions.

When someone has low self-awareness, they may feel uncomfortable reporting cyber incidents early on and expect to be judged incompetent or blamed. Thus, not reporting at all or ignoring it is the easier way out. Through training and support, organizations can help their employees manage their emotions in the face of cyber threats and promote self-awareness.

Empathy, or the ability to understand and respond to other people's emotions, is another important aspect of emotional intelligence. It is important to recognize when a colleague is feeling overwhelmed or stressed, and respond constructively and supportively.

Organizations can foster a more collaborative and resilient cyber culture by building empathy skills within teams. In this way, individuals can work together effectively to resolve cyber threats.

Preventing another UBER case with Emotional Intelligence

How could emotional intelligence have helped Uber's former Chief Information Security Officer (CISO) make better decisions during the cover up of the 2016 data breach, potentially avoiding criminal liability?

Let's take a look!

Uber suffered a data breach in 2016 that compromised millions of users' personal information. Joe Sullivan, the company's CISO, has been widely criticized for his decisions following the breach. Sullivan's decision to pay a ransom to the hackers who carried out the breach has been viewed as a serious mistake.

A better understanding of emotional intelligence could have helped Joe Sullivan with a practical decision-making tool to make informed and holistic decisions.

It is likely that he was driven by fear and anxiety due to the pressure he was dealing with at the time, and thus failed to make a 360-degree decision based on the company's and its users' best interests. Regardless of how experienced or intelligent someone is, when faced with that much pressure, emotions do affect behavior. This is known as the stress response, which translates into different behaviors based on how familiar one is with the context and how comfortable one is with that kind of stress.

"The delayed notification in itself isn't what brought Sullivan into the Justice Department's crosshairs, though. When Sullivan learned about the 2016 hack, he was already working with the FTC on its ongoing investigation into another, unrelated 2014 Uber data breach. Among other things, Sullivan gave a sworn deposition to the FTC about the incident and steps Uber had since taken to improve its digital security practices. Ten days after providing this testimony, he learned of the new data breach. The hackers attempted to extort the company by threatening to publish the data they had stolen if they didn't receive payment." - Wired

The actions of Sullivan following the breach, including trying to cover up the incident and failing to notify regulators or affected individuals in a timely manner, indicate a lack of empathy and self-awareness when viewed through the lens of emotional intelligence.

The stress someone faces during those moments inevitably impacts their ability to make rational decisions, even if they are unaware of it themselves.

In failing to consider the potential impact of his decisions on others, including Uber's users and regulators, Sullivan undermined the company's efforts to build a resilient cyber culture.

As a result of Joe Sullivan's actions during the 2016 data breach, he was charged. For his role in covering up the breach and paying a $100,000 ransom to the hackers responsible for the attack, he was charged by the US Department of Justice with obstruction of justice and misprision of a felony in August 2020.

Aside from the criminal charges, Sullivan also faced civil charges from the US Securities and Exchange Commission (SEC) for failing to disclose the breach to investors in a timely manner. Uber settled SEC charges related to the breach in September 2018, paying $148 million, including a $50 million fine.

Is Emotional Intelligence the Silver Bullet?

In the current cyber threat landscape, there is no one-size-fits-all approach, and siloed thinking no longer works. It is apparent from Uber's case that emotional intelligence is an important component of cybersecurity. A culture that prioritizes cybersecurity and responds to threats and challenges better can be created by developing emotional intelligence skills.

In the face of pressure and being pulled in many directions, there is a good chance that Sullivan would have made different decisions if he had applied emotional intelligence skills. Fear, anxiety, or other strong emotions may have clouded his judgment and influenced his decision to pay the ransom, especially when he was still involved in a previous investigation. Sullivan could have recognized these emotions and taken steps to manage them by seeking input from other stakeholders and considering the long-term implications of his decision through self-awareness skills.

Sullivan could have improved his understanding of how his decisions might impact Uber's users and regulators by developing empathy skills. By developing a comprehensive response to the breach, Sullivan might have been better able to work collaboratively with other stakeholders if he had leveraged empathy skills.

By developing emotional intelligence skills such as self-awareness and empathy, Joe Sullivan may have been better equipped to prioritize Uber's and its stakeholders' best interests in response to the 2016 data breach. Sullivan could have played a more effective role in building a resilient cyber culture within the organization if he recognized and managed his own emotions and considered the emotions of others.

On January 11, 2023, presiding United States District Judge William Orrick in San Francisco denied the motion of Joe Sullivan, the former CISO of Uber, for a judgment of acquittal. Companies now have to take into consideration the consequences of not reporting cyber incidents as it may get them in trouble legally.

In order to build a healthy security culture where transparent governance and effective collaboration and communication processes are in place, emotional intelligence plays a critical role in ensuring that doing the right thing won't lead to criminal liability.

Emotional intelligence is a critical component of cybersecurity and building a resilient cyber culture. By developing emotional intelligence skills such as self-awareness and empathy, individuals can better manage their own emotions and respond to the emotions of others, leading to more effective decision-making and collaboration. As businesses face increasingly complex and frequent cyber threats, it is essential to prioritize emotional intelligence in cybersecurity strategies.

If you are interested in building cyber resilience with emotional intelligence, let's connect and explore how Thrive with EQ can assist you in managing the human factor in cyber incidents and creating a culture that prioritizes cybersecurity and resilience.