The Psychology Behind Why we still Struggle with Cyberattack Response

Interview with Dan Potter of Immersive

Preparation does not guarantee performance. In this interview, Dan Potter, Senior Director of Operational Resilience at Immersive, explains why confidence can mask vulnerability, how human factors shape incident outcomes, and what leaders can do to build resilience that holds up when tested most.  

Cyberattacks have become a familiar feature of modern business, and most organisations have planned accordingly. Yet even with the most comprehensive response plan in place, many organisations struggle to manage when a cyber incident unfolds in real time. 

From frontline cyber practitioners to senior leadership, performance can quickly deteriorate under pressure, leading to muddled responses, slow reactions, and wrong choices.  

Why do organisations struggle to respond effectively to cyberattacks, even when they believe they are prepared? 

Many organisations genuinely believe they are prepared because they’ve invested time, money, and attention into cybersecurity. And in most areas of the business, that should be enough. But in dealing with a cyber incident, you can’t afford to build your confidence based on activity – it must have a foundation in experience too.   

As a result, we consistently see a gap between perceived readiness and actual performance. In Immersive’s recent research, almost all (91%) business leaders expressed confidence in their organisation’s ability to handle a major cyber incident, and most (71%) believe they have a mature cyber readiness programme.  

Yet when teams were placed into realistic, high-pressure simulations, performance told a very different story, and confidence dropped to around 60% in Immersive’s crisis sims.

That disconnect exists because confidence is reinforced by metrics like completed training and documented plans, which reflect how people behave under genuine stress.

That disconnect exists because confidence is reinforced by metrics like completed training and documented plans, which reflect how people behave under genuine stress.

Most people are not naturally good at handling the adverse conditions created by a cyber incident. There’s a high perceived risk and impact of failure, combined with significant uncertainty and incomplete information, all wrapped up in intense time pressure. Decision-makers often must make snap choices, but overreacting and taking a server offline unnecessarily could cause more harm than good. 

So, people become more cautious and reactive, and more likely to rely on familiar patterns, even when those patterns are no longer appropriate. 

Immersive’s simulations show that decision-making often deteriorates during an incident. What is happening psychologically when teams are placed under that kind of pressure? 

When people are under intense pressure, their brains start to behave very differently from how they do in calm, analytical settings. The combination of urgency, uncertainty, and fear of failure is incredibly disruptive to good judgement. Average decision-making accuracy in Immersive’s crisis sims is just 22%. 

One of the first things that happens is cognitive narrowing, which is when people focus on a smaller slice of information and lose sight of the wider picture. It’s a common threat response and can be useful in simple emergencies, but in complex cyber incidents, it often leads to tunnel vision. Teams fixate on technical details, wait for more certainty, or defer decisions upwards rather than stepping back to coordinate a response. 

There is also a strong emotional component. Cyber incidents trigger anxiety around loss, reputation, and personal accountability. When people feel that risk, they become more cautious and less willing to act decisively. Ironically, that hesitation can slow containment and increase impact. 

Another important factor is expectation. Teams tend to perform best when events unfold in ways they recognise. But serious incidents rarely unfold predictably, and when it goes differently from rehearsed responses, confidence starts to plummet.   

So, it’s not a case of putting in more hours of study and practice – that knowledge and preparation are often meaningless without the experience to back it up. 

Why does lack of coordination matter more than lack of technical knowledge during a cyber incident? 

Cyber incidents are often thought of as technical events, but they’re really fast-moving crises that affect the whole business. That means they demand coordinated action across multiple teams simultaneously. So, when things break down, it’s often not because individuals don’t know what to do, but because people are unsure who should act, when, and with what authority.  

When things break down, it’s often not because individuals don’t know what to do, but because people are unsure who should act, when, and with what authority.  

In high-pressure situations, humans look for clear structure. When roles, escalation paths, or decision rights are ambiguous, people hesitate. They wait for reassurance, seek permission, or focus narrowly on their own responsibilities. That behaviour is completely natural, but it creates delays and bottlenecks when time matters most.  

What we often see in simulations is that technically strong teams slow down because they are trying to coordinate decisions with legal, communications, or leadership teams that have never practised working together under pressure. Each group is operating with different priorities, language, and risk thresholds. If teams haven’t practised those interactions in realistic conditions, even small misalignments can cascade into significant delays. 

However, in Immersive’s exercises, less than half (41%) of organisations typically include departments like legal, executive, and communications. This means this critical cross-departmental teamwork is not being put to the test. Despite this, 90% still told us they felt their cross-functional communication is effective.   

What should leaders do differently if they want to improve decision-making and resilience during cyber incidents? 

The most important shift leaders need to make is to stop treating cyber readiness as a compliance exercise and start treating it as a human capability. Policies and plans are important, but they don’t tell you how people will behave when they are tired, stressed, and forced to make decisions with incomplete information. 

Real resilience is built through exposure and practice, not reassurance, yet less than half (46%) of organisations currently use performance-based metrics to assess readiness.  

Leaders should ensure teams are regularly placed into realistic scenarios that reflect the ambiguity, time pressure, and cross-functional tension of a real incident.  

That means simulating difficult decisions in unfamiliar situations, not just the expected technical responses. If people have never had to make trade-offs under pressure, they will struggle when those moments arrive for real.  

Finally, this approach needs to encompass the whole organisation, not just IT and security personnel. Non-technical teams need to be involved too, including leadership. 

When executives experience the discomfort of making time-sensitive decisions in a simulated crisis, it changes how they think about risk, investment, and preparedness. Resilience improves when decision-making is practised at every level, not assumed at the top. 

Executive Profile

Dan Potter joined Immersive in 2022. He previously worked at Citi for over 15 years, gaining significant expertise in the design, delivery and management of resilience related disciplines including crisis management, business continuity and disaster recovery (including cyber), third party resilience and exercising.