Preparing for Task Loading During Incident Response
Our capacity for processing information is limited. Originally proposed in 1988 by psychologist John Sweller at the University of New South Wales, cognitive load theory states that “as a result of higher cognitive load, a stimulus is more difficult to pay attention to.”
A “task load” describes the degree of difficulty we experience when performing a task and task loading indicates the accumulation of tasks necessary to perform a specific operation. I first learned about task loading as a scuba diver, but it’s also common — along with the subsequent distraction and stress it causes — during security and privacy incidents.
Impact of Task Loading
Human beings have a limited cognitive capacity, meaning our perceptual systems (those that process information from the five senses: vision, hearing, smell, taste, and touch) and our neuropsychological processes of attention can only do so much at the same time. New and unfamiliar tasks require a significant amount of this capacity with skills requiring conscious thought and laborious execution. As tasks become more familiar, they require less conscious attention and the associated skills become embedded in memory. Therefore, the more familiar a skill is, the less cognitive capacity it requires.
In addition to taking up cognitive capacity, new situations and tasks increase activation of affect systems, triggering strong emotional responses, such as excitement, fear, and anxiety. A little activation is helpful in stimulating us to action, but higher levels inhibit thinking and reduce our cognitive capacity. In new tasks or environments the demands on our cognitive capacity mean that our ability to attend to all elements of a situation is limited.
Excessive task loading can also lead to failure with even simple or familiar tasks as we reach the limits of our cognitive capacity. It’s not uncommon for individuals to enter a cycle of perception narrowing, focusing exclusively on one perceived problem or task to the detriment of the overall situation.
Incident Response Planning
Almost every aspect of incident response includes multiple tasks from the moment an investigation begins. As a result, some task loading is inevitable. However, we should try to limit task loading to an individual’s level of training and experience. In diving, more experienced divers with advanced certifications are expected to look out for the entire group and assess the surrounding environment in detail, while new divers are instructed to focus on critical and immediate tasks like equalizing their ears and maintaining good buoyancy.
In incident response, individuals unfamiliar with the subject matter or response procedures may have situational awareness limited to themselves and their job function. They might miss important aspects of the situation, such as how all the elements relate to each other or how a specific incident fits within the context of company history, industry trends, attack campaign, or public perception.
Understanding that members of our security and privacy teams, as well as cross-functional partners, have varying levels of experience with incident response, it’s important to proactively consider how you’ll reduce the effects of task loading during an incident.
Make it Routine
New situations overwhelm our senses with new information, forcing our brains to work hard to sort out what to do with it. At the same time, our perceptual systems are trying to respond with more difficult, conscious understanding like assigning words to new things we haven’t seen before. All of this takes up cognitive capacity.
A clear procedure helps individuals and organizations address a situation by completing tasks that are most essential first. By practicing the procedure, it becomes habitual and automatic, which reduces the demand for cognitive resources and helps reduce delays due to uncertainty about what to deal with first. This is a core aspect of nearly every incident response plan I’ve seen — — but most of them still fail to address task loading because they’re not aligned with day-to-day operations. The more distinct your incident response plan is from the way your team works everyday, the harder it will be for those procedures to become habitual and automatic.
Rather than approach incident response planning and practice as an infrequent occurrence, a better approach is to consider it from the perspective of a cognitive behavioral chain. As a cognitive behavioral chain, alternative routes exist at every step or stage of an incident. Selecting the most appropriate ones is a skill and the more you do it, the better off you’ll be, both in terms of your competency with individual tasks and reducing the impacts of task loading.
Because of this relationship between frequency and habituation, the best incident response plans mimic everyday operations up to the point of escalation, and then adopt existing procedures and protocols from across the company. For example, many companies have cross-functional response procedures for major outages, physical safety threats, and other non-security incidents. Aligning with procedures already familiar to cross-functional partners helps them reduce excessive task loading caused by a new and foreign process.
Over time, as tasks and environments become familiar they require less of our cognitive capacity and are less stimulating to affect systems. Proactively planning for task loading in our incident response gives us more cognitive capacity to take in and make sense of more elements of the situation.
Sign up for our monthly newsletter: https://discernibleinc.com/newsletter-signup