Skip to content

October 6, 2022

Novel Security Vulnerabilities: The Human Response

By IT Revolution

This post has been adapted from the 2022 DevOps Enterprise Forum guidance paper Responding to Novel Security Vulnerabilities by Randy Shoup, Tapabrata Pal, Michael Nygard, Chris Hill, and Dominica DeGrandis.

In our last post, we looked at the organizational response to novel vulnerabilities. Now let’s turn to the human response.

All technology organizations experience regular interactions between social and technical elements that operate within a constantly changing environment. But when it comes to security incidents and vulnerabilities, it’s not about constantly changing environments. Instead, it’s about immediate threats, threats that can hold your production environments hostage or can expose personally identifiable information which can be used to commit identity theft and erode your customers’ trust. Under these intense circumstances, a person’s ability to remain calm and confident (versus fearful and pessimistic) differentiates successful organizational performance from unsuccessful organizational performance.

The sense of pressure and possible failure that people feel in the heat of a challenging vulnerability impacts their coping mechanisms and sense of safety. But how is it that some people can press on while others retreat or drop out? Often, this comes down to fear. Will my boss fire me if I make a mistake? they might wonder. Will this somehow end or affect my career in the long run?

In the workplace, the fear of losing your job is very real. For example, when Target experienced a breach in 2013, it ended the tenure of the CIO. Even though the response after the breach was satisfactory, the senior executive was still held accountable for the event itself.

Knowing that previous security breaches have been career ending increases the fear response of the individuals involved, spiking adrenaline and creating an overabundance of cortisol in the body. If left unchecked, this type of repetitive acute stress can lead to chronic stress, resulting in depression, exhaustion, and burnout. This phenomenon, where a high-stress situation worsens performance, is known as choking under pressure and is a perfect example of the powerful grip that fear has on our behavior. But fear responses are not unpredictable. We can use the Kübler-Ross Change Curve as a model from which to gain insights into why people press on versus drop out.

Anticipating Emotional Response

The Kübler-Ross Change Curve is an extension of the original five stages of grief that Dr. Elisabeth Kübler-Ross coined in 1969. Today, the Kübler-Ross Change Curve holds true for work environments and is traditionally used to measure response to change. Consequently, the Kübler-Ross Change Curve applies to security incident responses, which are different in nature from longer-term, planned transitions and transformations. Because novel security vulnerabilities such as Log4Shell are unpredictable, security experts need to be ready for anything at any time.

When employees are regularly subjected to alarming high-stakes events, a good night’s sleep (if adrenaline doesn’t keep them from sleeping) or a weekend off might not be enough to restore the energy necessary to show up and carry on in a potentially chaotic and uncomfortable environment.

Repeated high-stakes events reduce your company’s ability to rely on essential expertise. Likely your most-needed people are the people who are the closest emotionally to the incident itself. Those individuals’ emotional responses to the incident will follow stages similar to the Kübler-Ross Change Curve.


The Kübler-Ross Change Curve helps those in the workplace anticipate how they and their coworkers will react physiologically when high-stress situations occur. The vertical axis reflects how morale and confidence are impacted by mental turmoil. The horizontal axis reflects the impact that time has on people as they move sequentially through each stage. This awareness helps those affected to self-regulate more readily once they recognize how each stage impacts them, both in the short and long term.

While the original Five Stages of Grief end in acceptance, the Kübler-Ross Change Curve has evolved to include experiment, decision, and integration as an approach that ultimately leads to success. By utilizing the Kübler-Ross Change Curve, we can explore ways to reduce mental turmoil (such as meditation, exercise, self-care, etc.) that are appropriate for the emotional state a person is in.

There’s an unfair expectation that people are able to manage their individual curves quickly. But this depends on how much privileged information people have and how early they start their curve. Consider a scenario in which senior executives know of an upcoming merger that will cause some team members to lose their jobs. The executives may know six months ahead of everyone else about the merger, allowing them to adjust to the change long before the staff finds out via a two-week notice. The staff is still in the shock stage while the senior executives have already moved to the integrated stage. This is exacerbated by staff who have already established equilibrium with their personal cognitive load budgets,  for which a novel incident (and a new start to a curve) has to borrow energy from things like physical well-being, family time, or creative time.

When leaders provide a healthy environment in which employees are well-informed and feel safe (versus operating out of fear), people are better able to shift from frustration to improved decision making (via experimentation) with reduced time spent in depressed states. And that dynamic can reduce the risk of hefty talent replacement costs. Instead of people waiting on the cusp of a triggering event to update their résumé and walk off to another opportunity, they can persevere with more resilience. If people know about the Kübler-Ross Change Curve stages and learn to self-regulate, they can maintain confidence and morale with the stamina to press forward through challenging events.

Up next in our novel vulnerabilities series, we’ll take a look at preparing for and preventing novel vulnerabilities.

- About The Authors
Avatar photo

IT Revolution

Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.

Follow IT on Social Media

No comments found

Leave a Comment

Your email address will not be published.

Jump to Section

    More Like This

    Serverless Myths
    By David Anderson , Michael O’Reilly , Mark McCann

    The term “serverless myths” could also be “modern cloud myths.” The myths highlighted here…

    What is the Modern Cloud/Serverless?
    By David Anderson , Michael O’Reilly , Mark McCann

    What is the Modern Cloud? What is Serverless? This post, adapted from The Value…

    Using Wardley Mapping with the Value Flywheel
    By David Anderson , Michael O’Reilly , Mark McCann

    Now that we have our flywheel turning (see our posts What is the Value…

    12 Key Tenets of the Value Flywheel Effect
    By David Anderson , Michael O’Reilly , Mark McCann

    Now that you've learned about what the Value Flywheel Effect is, let's look at…