Cyber security is played for high stakes in a world of shadowy threats. Although it’s seldom discussed openly, this dark game can take a psychological toll on people who play it.
Some IT security professionals come from law enforcement or intelligence backgrounds, so they’ve played dark games before and know the mental traps and pitfalls. But many come from corporate IT backgrounds or straight out of college. No one prepares them for what’s to come.
Like our intelligence and law enforcement brethren, security professionals are exposed to ugly human behavior, while sworn to secrecy and sometimes taking personal risks. This can lead to paranoia, cynicism, and loneliness.
Paranoia results from repeated ambushes, sometimes from people once thought trustworthy. Trust erodes first in the work arena, but if left unchecked it can infect friendships and family. In a threat climate, this is a recipe for paranoia even in the healthiest people.
Cynicism arises from loss of idealism or faith in people’s essential goodness. Many enter the cyber security profession as idealists, drawn to exciting work and a vital mission. They’re prone to disillusionment if leaders or missions are revealed to be less than altruistic.
It can also be disillusioning to find out one’s adversaries aren’t the cartoon villains we were taught to expect. Defenders are indoctrinated in a paradigm of Lawfuls (us) versus Chaotics (them). Attackers , especially hacktivists, often operate in a paradigm of Rebels (us) versus Stormtroopers (them). When these opposing paradigms clash, mutual shadow projections cause confusion and conflict. Those who glimpse the opponent’s paradigm experience cognitive dissonance, projection withdrawal, and a disorienting feeling of having one’s “world turned upside-down”.
Loneliness inevitably follows as one’s circle of trust shrinks. It grows increasingly difficult to let one’s guard down or allow intimacy. This is compounded by a culture of secrecy where one must cope with Big Things, such as traumatic events, without talking about them outside work.
In his 2016 DEFCON talk “Playing Through the Pain: The Impact of Secrets and Dark Knowledge”, (and 2018 follow-on talk "The Road to Resilience") Richard Thieme addressed trauma and trust erosion in security & intelligence work that can lead to substance abuse, divorce, or suicide. Those who experience betrayal or lose mission conviction are most at risk. In extreme cases, their very sense of reality is undermined. The greatest danger comes at the end of a stressful period, followed by rapid decompression, when one can suffer the emotional “bends”.
There are coping strategies available, but first organizations must acknowledge the problem. Managers and HR specialists need to be educated about invisible mental threats, how to detect signs of burnout or mental distress, and make effective resources available. The CIA has in-house psychologists trained to deal with stresses of intelligence work, but in the private sector most corporations offer little more than a third-party employee assistance program whose counselors may be ill-equipped to understand these issues.
Sometimes the mental stresses of security work can lead to insider threats. A disillusioned employee might exfiltrate data to get revenge or ease his conscience (e.g., Snowden). An overstressed employee who seeks release through gambling may go deep into debt, becoming vulnerable to manipulation by adversaries. This is another reason why security organizations should take their employees’ emotional well-being very seriously.
An ounce of prevention is worth of pound of therapy. Thieme (an Episcopal minister before he got into security work) recommends security practitioners seek out family, gardening, music, yoga, or meditation. Any demanding, high-stress job can undermine work-life balance, but since security professionals are often forced to compartmentalize their lives, they can find it harder to talk to family or friends about “work stuff”. Nonetheless family relationships and non-work friendships are vital counterweights for emotional balance.
Our community is very good at recognizing and stopping cyber threats. It’s time we also learned to recognize mental health threats too.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.