Finding grace in responses to adverse cybersecurity incidents

The purpose of this study was to investigate the role of grace in the aftermaths of adverse cybersecurity incidents. Adverse incidents are an inescapable fact of life in organizational settings; consequences could be significant and costly. Increasingly, the cause may be a cybersecurity exploit, such as a well-targeted phishing email. In the aftermath, line managers have a choice in responding to the individual who caused the incident. Negative emotions, such as shame and regret, may deliberately be weaponized. Alternatively, positive emotions, such as grace, forgiveness and mercy, may come into play.

We detail a study with 60 participants to explore attribution differences in response to adverse incidents, both non-cybersecurity and cybersecurity. We examined the stages that occur in the aftermath of such adverse incidents where grace may be observed.

Our participants generally believed that grace was indicated toward those who triggered an adverse cybersecurity incident, pointing to situational causes. This was in stark contrast to their responses to the non-cybersecurity incident, where the individual was often blamed, with punishment being advocated.

The role of positive emotions merits investigation in the cybersecurity context if we are to understand how best to manage the aftermaths of adverse cybersecurity incidents.

Organizations that mismanage aftermaths of adverse incidents by blaming, shaming and punishing those who make mistakes will harm the individual who made the mistake, other employees and the long-term health of their organization in the long run.

To the best of the authors’ knowledge, this is the first study to reveal the grace phenomenon in the cybersecurity context.