blog post

What Are the Objectives Upon Leaving the Comfort Zone?

Part 3 in the series on leaving the Comfort Zone.

In Part 3 of this series of “Leaving Your Comfort Zone” we are going to focus on, the much talked about but rarely invested in, changing of security behavior. It is widely accepted that threat actors compromise an organization’s layered cybersecurity defense by exploiting the weakest link: humans. Security strategies that rely on a layered approach often overlook the human layer (The H Layer), the eighth layer of the OSI Layered Security Model.

The primary weapon of this layer and, in fact, the primary target of the adversary is the human mind. If an organization is to make this weapon as effective and efficient as possible in the defensive effort, the catalyst for changing the individual’s perspective regarding security behavior will be an organizational training program designed within the context of continuously maturing the cyber model of the enterprise culture.

Mental Toughness

The individual training program is designed to improve performance in each of the four core components of the mind; Control, Confidence, Challenge, and Commitment, otherwise known as Mental Toughness. Mental Toughness is the key to achieving the desired security behavior, building the discipline in that behavior that becomes a habit and the perseverance and grit to maintain the situational awareness required for informed decision-making in what is recognized as a chaotic, uncertain and fluid threat environment.

Strengthening the H Layer requires leaving the Comfort Zone and executing a cybersecurity training program targeting the human factor relative to learning, behavior performance improvement and individual motivation, through an appreciation of their value to the enterprise cyber maturity model effort and a feeling of personal accomplishment. Such a program integrates knowledge-based learning with skills-based learning.

Traditional knowledge-based learning is the basis for the continuous growth in the security knowledge base of the individual while the skill-based learning model is used to create an experience requiring the employee to apply the knowledge, through practice scenarios where all the variables, relative to their role, simulate an event they might experience in the daily performance of their assigned tasks.

Such a program is, quite possibly, the most strategic action an organization can take if the goal is to have a proactive, resilient program capable of being adaptable, flexible and maneuverable in an environment of friction and disorder. Each employee must have the knowledge and skill to securely perform the duties of their role in an environment that creates situations ripe for exploitation by an opportunistic cyber enemy. The employee’s emotions and/or behavior in the performance of their duties or on social media platforms often identify them as being vulnerable to such exploitation efforts.

An organization can have the best weapons (technology) in their layered defense but, if people are deficient in their ability to use them or negligent in using them as intended, they are “the weakest link” in the cyber defense plan.

Sun Tzu says, “Know yourself, Know the other and victory will be certain.” Your adversary has, at a minimum, a decade of experience advantage in the knowledge and skills associated with the use of the tools they have been provided to effectively breach their target and possess a deep understanding of the lack of the same by their enemy, YOU! As such, they currently have, in far too many situations, a significant competitive advantage. Leaving the Comfort Zone involves continuously striving to narrow that competitive advantage.

With the decision to leave the Comfort Zone, the execution plan must have specific, quantifiable and measurable objectives of success on the continuous journey from the organization’s “current state” of cyber defense to the continuously evolving “future state” of defense against the threat environment.

The organization must be prepared to fight the fight it is experiencing today, by weaponizing the mind of each member of the human security layer for the purpose of improving the performance of the desired security behavior.

Training Program Objectives

Establish a program of knowledge and skills performance growth.

Knowledge is the theoretical understanding of something, which is acquired through lectures and textbooks. Gaining knowledge and putting it into practice is fundamental to learning and the most effective way to learn is to build upon what you already know. Knowledge-based learning, therefore, refers to reading, listening and watching to obtain the information needed before progressing to the next stage of learning.

Traditionally, education has followed this path to greater knowledge, but as skill gaps emerge, new ways to address them must be implemented. Skills can be acquired by doing and the best way to master something is through regular practice or trial-and-error scenarios. Skill-based learning aims to build upon knowledge by developing practical expertise in a particular area.

Skills-based education is essential for a few reasons:

  1. It promotes greater independence. Employees who learn through skills-based instruction are more likely to think at a higher level and solve problems on their own. This is critical to maintaining the desired security behavior in the growing remote working/work-from-home environment in business today.
  2. It increases learning speed. People learn much faster when there are multiple ways for them to absorb information. Using a skill-based approach can further develop what they already know and help them grasp concepts quicker. Perhaps, more importantly, is that this type of training has resulted in average student retention rates of 75% versus a combined 50% when traditional lecturing, reading, audiovisual, demonstration and discussion, are the only approach to education. Only teaching the subject results in a higher (90%) retention rate.
  3. Provides real-world experience. By creating training scenarios that engage reality, the absent risk associated with mistakes, individual(s) can experience and build upon, much quicker, current knowledge and new knowledge being introduced.

In such scenarios, skill performance in control and confidence components of mental toughness can be improved. These two components are the inner strength of an individual and are responsible for the emotional control critical to decision-making in this chaotic environment of cybersecurity as well as increasing the confidence in their ability to make the correct decision at a “tempo” that forces the attacker to respond to their actions, thus putting the defender in control of the situation.

Although the importance of a skill-based curriculum cannot be understated, knowledge is still a crucial foundation for an individual to be able to apply their skills and understand the broader reasoning behind what they are learning and why.

Change The Mindset and Subsequent Perspective of The Individual

Improve the individual’s mindset regarding their importance in defending critical data and intellectual property and overcome cognitive biases, that may exist. Cognitive bias has a strong influence on behavior. Success in gaining the desired commitment to security in general, and the individual’s perception of their importance in achieving the desired cybersecurity behavior can overcome these biases. The application of existing knowledge through preparation and testing in training scenarios can provide experiences that impact a change or removal of the biases.

This training and preparation should aid in answering the frequently asked question of “why are we doing this?” The answer, to which, plays a key role in the effort to change the mindset perspective regarding the importance of the individual’s commitment to improving their security behavior as part of the organization’s objective to develop a mature cybersecurity model within the enterprise culture.

When a person understands the organization’s appreciation of their value to the success in achieving a mature cybersecurity model, the outer orientation elements (i.e., challenge and commitment) of mental toughness are activated. The challenge element creates a desire to learn from everything and to stretch themselves. The commitment component causes an individual to become more goal oriented and delivery oriented.

Success in delivering the desired behavior and the recognition for doing so, provides some satisfaction for the individual human needs of fulfilling a sense of accomplishment and, in some small way, the desire to achieve their full potential.

Be Intentional in Improving Situational Awareness

Situational awareness is the adaptive, externally directed consciousness built on the knowledge of a dynamic task environment and directed action (i.e., behavior) within that environment. It is the use of the sensory system of an individual to scan their environment with the purpose of identifying threats in the present or projecting those threats into the future.

The greatest danger presented by operating in the comfort zone is the failure to identify critical vulnerabilities and the risks they present due to the perception of safety such behavior has created. A continuous effort to mature an individual’s situational awareness requires expanding the mental boundaries that currently create a false sense of security due to operating in the comfort zone.

At a minimum, every individual must perform their daily duties understanding that threats exist in their environment. They are actively searching the environment to detect behavior that would indicate the presence of an attacker. Upon recognizing a potential threat, they are prepared to act in accordance with the security policies of the organization.

In conventional warfare, the primary focus is on targeting the critical vulnerabilities which, “If exploited will do the most significant damage to the competitor’s ability to resist.”

The 4th Generation Warfare environment[1] of cybersecurity warfare requires training with a focus on specific vulnerabilities and risks associated with the individual’s role in the organization. The vulnerabilities the adversary is attempting to exploit, as well as the attack method being used can be addressed through threat intelligence. The more significant vulnerabilities to address are those within the unique operational environment of the organization and, specific to the goal of this training program, the exploitability, due to the behavior, of the individual in the performance of their duties in their role in the organization.

Such an effort requires forward looking planning and rigorous self-examination. Rigorous self-examination requires more than an annual vulnerability scan or penetration test, to meet compliance requirements, which is too often the norm.

When assessing the individual’s current situation, the risk to exploitation due to their behavior must include the adversary’s perspective on assessing a likely target (i.e., a smart enemy attacks their target where they are most confident in their safety).

As many recent breaches have demonstrated, cyber criminals have altered their tactics to exploit vulnerabilities within applications, devices and widely implemented security controls being used by the individual in the execution of the duties of their role. Many organizations deploy new technologies absent an understanding of the vulnerabilities being introduced or the potential for exploitation of an individual as a function of the adversary observing their behavior. Every worker must understand the risk associated with their behavior and the potential exploitability it creates in the 4th Generation Warfare environment in which they operate daily.

The fact that situational awareness requires the use of an individual’s sensory system, means a large part of it is founded on the person’s intuition. We are born with a sense of intuition that a person can hone and develop.

It is influenced by life experiences, emotional intelligence, risk tolerance and the individual’s environment. In essence, it is a mindset skill which can be improved through skill-based training. The benefit of such skill development is the creation of a powerful force that can aid a person in making the right decision at a tempo causing the attacker to respond to the defender’s actions instead of the normal scenario of the defender responding to the attacker’s actions.

Improve Decision-Making Skills

It is a principle of human nature to be assumptive in our expected growth in decision-making. In fact, when operating in the comfort zone, such an assumption can have very costly consequences.

In order to avoid this assumptive aspect of human nature, there must be an intentional commitment to growth in better decision-making using training scenarios designed to create the natural chain of emotions following the recognition of a potential or in-progress attack. Much like the “kill chain” of any breach and potential loss of critical data, the victim will experience emotions that can negatively impact their decision-making.

Causing a person to experience this chain of emotions in training scenarios where the risks are eliminated, serves to provide a familiarity and confidence in their ability to make decisions, under the stress and uncertainty of the situation, that comply with the security leader’s intent.

These types of security training scenarios are often conducted by the security staff of an organization to enable better decision-making in response to an active threat. In this remote work/work from home environment such scenarios designed for the employee role will significantly improve decision-making and security behavior at the attack point.


The cause of greater than 90% of breaches is attributed to a lack of situational awareness on the part of employees and the subsequent human error made due to that lack of awareness. Both deficiencies in human behavior can be significantly mitigated through a focused training program built on a strategic training plan.

An integrated knowledge-based and skill-based training program for the purposes of, at a minimum, developing desired security behavior as a habit, continuous improvement in the performance of that behavior in the individual’s operational role, and narrowing the skills gap that exists between the human attacker and the human defender is required in the 4th Generation Warfare environment in which each employee operates.

Behavior is a learned skill and is subject to becoming a habit if the desired behavior is continually emphasized and reinforced through training. Such training must address the failings of human nature, relative to behavior, by continuously exposing the organizational environment, through the training program, to the latest malicious activity.

The preparation that enforces the desired security behavior and provides each person with an appreciation of their value in contributing to the enterprise cybersecurity effort should leverage the human tribal instinct for safety, the success of the tribe and the natural desire to feel a sense of belonging and contributing to that success.

Reinforcement through regular testing using scenarios involving the current threat actors’ tactics, techniques and policies is essential to developing habits in the performance of the behavior.

In Part 4, we look at how to leave the Comfort Zone and discuss points of focus for the Learning Zone and Growth Zone.

[1] A conflict characterized by a blurring of the lines between war and politics, combatants and civilians. Roughly speaking, “fourth generation warfare” includes all forms of conflict where the other side refuses to stand up and fight fair.


Steve King

Industry Cybersecurity Strategist

Get In Touch!

Leave your details and we will get back to you.