How Stress Impacts Tactical Cyber Operations
Your favorite security researcher and threat-data gatherer is under stress. No surprise there. But when and how that pressure affects these individuals working in tactical cyber operations is what matters, especially if your organization wants to alleviate this emotional weight before it negatively affects a critical project or imposes undue risk on a company.
The National Security Agency, at the recent Black Hat security conference, shared some fascinating insight on the relationships between stress, frustration, performance and other factors that affect those working at the highest levels of cyber intelligence operations in the United States.
In a nutshell, yes, tactical cyber operations cause stress, but self-assessments completed by 126 operators in four different NSA locations indicate that downturns in performance are linked more so to frustration than fatigue, or mental and physical demands.
“Remember who our operators are: highly skilled, trained, dedicated to the mission, and results driven,” said Celeste Lyn Paul, senior researcher and technical advisor at the NSA. “They have a lot of pride in their work and always want to win. There’s an extra something special at NSA because we believe in the mission and the work we do. This is what’s feeding this weird relationship between frustration and performance.”
Paul, who presented with Josiah Dykstra, deputy technical director of NSA cybersecurity operations, said operators put the success of the mission above all else, even physical health. “They’re taking on this mental demand, physical demand, time, pressure, and effort, and that’s just part of the environment. But the frustration is something that they can’t take on,” Paul said. The unpredictability of cyber operations feeds frustration at the highest levels, and largely leads to anxiety over a general lack of control.
“Cyber is hard,” Paul said. “We get our new boxes full of analytics, and new tools, and the job gets harder. It’s a complex and unpredictable environment where a lot can go wrong. And if we try to control individual variables, we can’t. There are too many moving parts.” The NSA attempted to study all of these factors to not only learn more about the impact of stress, but to ensure the mental and physical well-being of its operators. Paul and Dykstra described a short two-page survey called the Cyber Operations Stress Survey they developed as a tool to measure the effects of fatigue, frustration and cognitive workload—the mental effort needed to use working memory.
The most-telling results to the researchers was the link between frustration and the operators’ self-assessment of their performance. Fatigue and cognitive workload did not highly impact performance the way frustration did.
“No matter how much mental and physical demand, time, pressure, or effort was involved, there was no relationship between those and their self-assessment of performance,” Paul said. “We see a link with frustration instead; their frustration is up, and self-assessments of performance go down. The only thing that affects them is how frustrated they are.”
What the NSA—and any enterprise—should hope to avoid is this type of stress leading to episodic or chronic stress. Episodic stress is repetitive and leaves a person with little time to recover, relax, and collect themselves; episodic stress could also aggravate underlying health conditions. Chronic stress endures over time and has negative effects on health and renders the sufferer feeling as if they have no sense of control over a situation or no ability to insert their will.
Cyber’s unpredictability feeds this impact on stress and overall health, Dykstra said. “For us, it’s not about losing money or a customer; NSA is a part of the Department of Defense and has multiple missions. For the most part, we’re there to protect nation, life, property, and sovereignty,” Dykstra said. “These are all heady topics. Imagine being the person at the keyboard in charge of all that. If they make a mistake, they could affect those things for a lot of people. It’s a lot of responsibility taken on gladly. We, also, as part of this community have to make sure they can take care of themselves.”
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.