Prof. Christopher R. Barnhart
Department of Cyber Security, EC-Council University
Cybersecurity has been described as a sub-topic of “I.T.” Cybersecurity differs from other I.T. roles because it is focused on enforcement instead of compliance. Cybersecurity professionals must work in an ever-changing environment, with multiple threats and constantly changing rules and regulations. They described their work as akin to working in a war zone (Sing et al., 2023). Working in Cybersecurity is a stressful occupation. This is why this field has high turnover, further exposing organizations to risk (Adetoye & Fong, 2023).
How Psychology is Used in Cybersecurity?
As strange as it may sound, Cybersecurity and psychology have a profound link. Cybersecurity professionals must not only react to threats and attacks but also anticipate their adversaries’ next moves. They must get into the heads of the enemy. Some wish to do good, and those who wish to attack and incapacitate organizations and governments worldwide. The management of cybersecurity professionals must take psychological care of their employees.
We know that stress, burnout, and even suicide rates among this worker class are at an all-time high (Nobles, 2022). We are at the intersection of humans and machines. One of them uses the other and vice versa. Despite knowing this, organizations are doing little to tend to these workers and their psychological well-being, according to Nobles (2022). Attention to the psychological health of cybersecurity workers needs immediate attention, especially since cybercriminals exploit human weaknesses to nefarious ends. Researcher Sedigheh Heydari (2022) did pivotal research on the psychological factors affecting cybersecurity professionals.
Expert Tips to Protect the Psychological Health of Cyber Professionals
The common theme in the literature on Cybersecurity and psychology over the last several years is that we know the job is stressful, even potentially fatal, and organizations need to do a better job to prevent this. It seems as if the industry is technology-centered and not person-centered. It has evolved that way. Now what? Understanding human factors and some surprisingly simple solutions can help alleviate these problems. I recommend a few general guidelines for protecting cybersecurity professionals’ psychological health (and general health).
- Sleep The science of a good night’s sleep is indisputable. Workers need 6 to 8 hours of sleep each night to perform at peak levels. The body heals itself, and the brain has time to rest and process information during sleep. I often encounter clients who say they get 3 to 4 hours of sleep per night. There are many OTC solutions; if those don’t help, talk with a physician who can help you find a solution. Our people need sleep!
- Frequent Breaks It’s common for one to sit at their terminal or computer and work nonstop, perhaps even skipping meals because the work is so intense. I am guilty of this. However, management owes it to their workers to insist on frequent breaks and any allowed time for a meal. Some managers have experienced success in building breaks into the employees’ schedules or putting breaks on their work calendars. Just a fifteen-minute break can give a much-needed reset.
- Eat!Unless there is a reason to fast, religious or otherwise, humans need to eat regularly. Food is the most discussed topic on the planet! Managers must ensure their teams are taking the necessary time needed to eat. That said, I recently devoured two pieces of pizza at my desk because there was a crisis, and I could not leave my desk. But our management ordered pizza, and we ate at our desks. We could not get away to eat, so the team brought the Food to us. Even when workers do not want to eat, they must fuel their bodies and minds.
- TrainingThere is a term called “role ambiguity” when someone does not know their job, goal, or purpose within the team or broader company. This causes enormous amounts of stress for workers. The key to alleviating this is training. I used to schedule my team for one hour of training per week. Sometimes it was training on a work-related module, safety, psychological health, work-life balance, etc. At other times I gave the worker the choice to train in something important to them. When workers know their goal and are trained to handle it, they perform better and do the work more efficiently. While training can be completed solo, I recommend adding in-person, hands-on training.
- Regular Medical CheckupsWhile we cannot force workers to get a checkup, we should set a culture of holistic health. The health of the body is equally as important as the health of the mind. I have been in a team where my colleague died of a heart attack. That colleague had not had a medical check in over ten years. He was thin, had no family history of heart problems, and ate a healthy diet. If he had had a regular checkup, his heart problem could have been found and fixed, otherwise saving his life. There is no worse feeling than attending the funeral of someone you worked with three days ago, especially when it was preventable.
This article has briefly discussed the issues affecting cybersecurity workers and the literature highlighting the importance of addressing these issues. The psychological well-being of cyber workers is equally as important as their physical well-being. Some suggested methods of mitigating these issues include sleep, frequent breaks, eating correctly, training, and regular medical checkups. Cyber work will always be there; our people will not. We owe it to our workers to ensure they are doing well and can perform their jobs confidently and efficiently. The person, firm, and world benefit because our vital cyber workers are at their best!
- Adetoye, B., Fong, R.Cw. (2023). Building a Resilient Cybersecurity Workforce: A Multidisciplinary Solution to the Problem of High Turnover of Cybersecurity Analysts. In: Jahankhani, H. (eds) Cybersecurity in the Age of Smart Societies. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-031-20160-8_5
- Heydari S. (2022). Psychological factors affecting on the culture and awareness of cyber security in during of Covid-19 outbreak. Rooyesh 2022; 11 (6) :49-60
- Nobles, C. (2022). Stress, burnout, and security fatigue in Cybersecurity: A human factors problem. HOLISTICA – Journal of Business and Public Administration,13(1) 49-72. https://doi.org/10.2478/hjbpa-2022-0003
- Singh, T., Johnston, A.C., D’Arcy, J. and Harms, P.D. (2023), Stress in the cybersecurity profession: a systematic review of related literature and opportunities for future research. Organizational Cybersecurity Journal: Practice, Process and People, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/OCJ-06-2022-0012
About the Author
Christopher Barnhart is a professor of psychology, research and writing in the department of Cybersecurity at EC-Council University. He has a B.S. in Business Administration and earned his master’s degree in business administration. His Ph.D. studies were in Industrial and Organizational Psychology. He is the founder, former president, and chairman of Florida Industrial and Organizational Psychology in the United States. He is a member of the American Psychological Association and the Society for Industrial and Organizational Psychology. Chris enjoys teaching both in the U.S. and abroad.