Tony Kirtley’s FIRST conference talk (video) explored how the Kubler-Ross model of grieving can help understand the emotional effects of a ransomware attack, both to avoid negative consequences and, where possible, to use natural emotions to support positive responses:
Denial: in a ransomware attack, denial should be short-lived, as the nature of the problem will quickly be clear and undeniable. However there is a danger that individuals at this stage will take unplanned actions, such as changing passwords or rebuilding systems, that are at best a waste of time (while the bad actor still has access to the system) and at worst may destroy information needed for recovery. A related possibility is misplaced (mis)trust in systems, data or people whose reliability isn’t yet known.
Anger: depending how it is directed, anger can be either destructive – if channelled into finding someone to blame – or constructive – if used to bond and inspire those involved in recovery. “We are all in this lousy situation together, let’s combine our energy to get out of it” can be positive, but needs care, because…
Depression: individuals may naturally believe the situation is their fault, even if there was no way their actions could have changed the course of events. Leaders must provide constant reassurance, otherwise a feeling of hopelessness can easily spread through the organisation.
Bargaining: here the risk is of being too successful in the previous stages, leading individuals to over-commit to the recovery process. Ransomware incidents take a long time to repair – anything from two weeks to four months was suggested – which is too long for anyone to work in “emergency” mode. The impact of burnout is amplified because not only the individual’s effort is lost, so is their detailed knowledge and understanding of the affected system. Here external support can help by taking on the “commodity” recovery actions, allowing local staff to focus their knowledge, skills and efforts on the locally-unique aspects.
Acceptance: this is essential to plan and perform the recovery process. Leaders need to establish and enforce a tempo that will sustain the required level of work without risking burnout, plan a recovery process, and ensure it is trusted by the whole organisation. Earlier emotions may recur, in particular anger and depression, so everyone must ensure the shared, no-blame approach is maintained. Here external support can help emotionally as well as practically: people who are less directly engaged are better placed to manage their own emotions and can spread confidence – “we’ve done this before, with a successful outcome” – among those who are going through a thoroughly unpleasant experience for the first time.
Tony suggested a sixth stage, not in the original Kubler-Ross model:
Meaning: sometimes referred to as “never let a good crisis go to waste”. Once an organisation has successfully recovered from an incident, it should always review what lessons can be learned and implement measures that make a repetition less likely. This still needs care to manage emotions: a successful review will identify improvements to processes, systems and guidance; one that descends into blaming is unlikely to help the organisational situation and may even make it worse.