Psychological impacts and human dimension of a cyber crisis on an organization: results of the interdisciplinary PSYBER study[Impacts psychologiques et dimension humaine d'une crise d'origine cyber sur une organisation: résultats de l'étude interdisciplinaire PSYBER]

CONTEXT: Combating cyberattacks has become a public policy and global security issue, particularly an economic one. The numerous cases of public and private organizations impacted to varying degrees over the past decade demonstrate the widespread and professionalization of cybercrime. In addition to the technical challenges of business continuity and recovery, there are financial, legal, and communication challenges. All of these aspects make understanding and then resolving a cyberattack even more complex. These attacks leave a lasting mark on memories and behaviors, lastingly influencing organizations. More recently, the question of the human dimension of cyberattacks, both in their handling and response, has emerged, albeit through rare testimonies. All agree: cyberattacks bring with them a complexity of reactions and emotions. However, failing to consider this specific biological and cultural dimension of cyberattacks adds significant difficulty to technical and operational remediation, across all timescales, and sometimes even causes psychological difficulties for some individuals to carry out their missions. While some milestones exist here and there, no study has addressed the subject to date. The PSYBER study, composed of PSY and CYBER for the words psychological and cybersecurity, was conducted jointly by an anthropobiologist and three cybersecurity experts. OBJECTIVE: Its primary objective is to better understand the complexity of cyber-related crises from a holistic perspective and to propose a set of recommendations for mitigating and improving their treatment based on the kinematics considered. The secondary objective was to identify the elements that hinder cyber-related crisis management in order to improve the remediation process, as well as to address the needs of stakeholders by focusing on their emotional narratives. Recommendations and operational tools were co-designed by these professionals. METHOD: The exploratory qualitative study involved 10 respondents from different organizations with moderate to high expertise in the subject of cyber-related crises. The study was conducted in two stages: a co-design phase with three specialists, followed by an in-depth phase with the ten respondents, supported by a multidisciplinary steering committee. During semi-structured face-to-face interviews conducted via videoconference, the experts' accounts were collected regarding their experiences with cyber-related crises and their management. RESULTS: By studying the experts' accounts, the working group was able to identify the needs of managers and teams facing a cyber-related crisis by integrating the human and psychological dimension into the previously techno-centric principle of operational remediation. Specific effects of the cyberattack were also analyzed from a neurophysiological perspective and described in a behavioral typology. The mechanisms of satisfaction and dissatisfaction in managing the cyber crisis were also mapped by responsibility, entity, and business group on the following levels: 1. emotional, with better (re)cognition of individual experiences; 2. organizational, with better recognition of roles; and 3. symbolic (particularly in the implementation of rituals). The expert respondents offer concrete tools through a series of recommendations for the specific holistic preparation of leaders and their teams, across several timeframes: before, during, and after the crisis.