Active Response

Always A Bad Day For Adversaries

The Darker Side of Threat Intelligence: Cyber Stockholm Syndrome

Stockholm Syndrome is a psychological phenomenon described in 1973 in which hostages express empathy and sympathy and have positive feelings toward their captors, sometimes to the point of defending and identifying with the captors. - Wikipedia

Maturing as a threat intelligence analyst involves “living with your threat.”  In my interview process I ask potential analysts about threats they’ve tracked in their career.  Tracking a threat for months or years creates a unique learning environment and I look for that in analysts.  Unsurprisingly, in that environment an analyst becomes intimate with the adversary’s routines, their interests, and even begins to distinguish characteristics of individuals from within a larger group.  An analyst gets truly connected when they can successfully predict a threat’s activity.

However, while this sounds like an analytic panacea and also something threat intelligence production cells strive to build, it comes at a cost.  The risk is that analysts go beyond being closely connected and become “married” to a threat.  In living with that threat every day, spending all of your professional time studying them, spending hundreds of hours discussing them with others, it is impossible not to closely connect with the adversary on the other side of your screen.  Analysts become personally attached to the “bad guys” – a “Cyber Stockholm Syndrome.”  I personally know analysts who have fallen into depression when their threat goes away.

Not only is this unhealthy for the analyst, this relationship also affects their communication and infects their analytic capabilities reducing objectivity.

Symptoms of “Cyber Stockholm Syndrome”

  • An analyst gets particularly protective and defensive regarding perceived encroachment on their territory
  • An analyst unnecessarily hides intelligence and data to prevent others from knowing details helping to maintain their superiority
  • Overwhelming and obvious confirmation bias – an analyst “seeing their threat in everything”
  • An unwillingness to work on other threats even given clear direction and obvious priorities
  • An analyst continues to work on a threat even after the threat is “gone” against overwhelming evidence and analytic consensus

What may cause this?

One hypothesis: an analyst may associate their self-worth with an adversary.  As the analyst grows in mastery of knowledge of an adversary, they produce spectacular intelligence and amazing insight providing great value to others; this results in praise from leaders and admiration from peers creating a feedback loop.  The cycle strengthens the bond the analyst builds with a threat as the threat continues to provide value to the analyst.

What should happen?

When this happens managers may respond by immediately separating the analyst from the threat.  I don’t believe that is the right answer.  Separation causes resentment and potential psychological problems such as depression.  Instead, managers of analysts should look to slowly incorporate other analysts into the equation and ultimately strive to return the analyst to a proper relationship so they don’t lose that valuable expertise.

Most importantly, analysts must recognize this problem in themselves.  For their own professional and personal well-being.

Additional Discussion

Chris Sanders (@chrissanders88) made an excellent point that Stockholm Syndrome requires empathy with an aggressor which is lacking in my description.  I agree that the syndrome’s description includes that requirement but its exclusion from the DSM means there is no consistent definition.  Further, active academic discussion on the topic includes whether Stockholm Syndrome actually exists or is really one facet of a larger aggressor-bonding trait. While empathy is not the right aspect of the bond I describe here there is an attachment bond created either through the return on investment (ROI) the analyst receives through the adversary or otherwise.  This is evidenced by both the confirmation bias present and the sense of depression described by analysts.  I agree that the application of the Stockholm Syndrome may be imprecise.


Keeping up with the Stream: How I Maintain External Situational Awareness


Threat Intelligence Definition: What is Old is New Again


  1. It’s hard to discuss with much nuance on Twitter, so let me add some color to the discussion and clarify some of my points after reading your update. I’ve personally seen the exact thing your talking about here and your key point is a great one. Many analysts do fall into the trap of all the inherent biases you discuss.

    That said, I don’t think it’s really relevant to stockholm syndrome which is kind of its own unique thing. I cite empathy as a core tenant of stockholm syndrome (not a requirement, as you state, its loose research and there aren’t hard ones). The analyst isn’t empathizing with the threat actor or even building a bond with them. I think it’s more of a reflection of an internal state where the analyst draws self worth from their expertise. Think hierarchy of needs — the analyst is self actualized by their expertise. Anything that threatens the usefulness of that expertise threatens that actualization and threatens to take away what is fulfilling this need. Therefore, the analyst exhibits a lot of the behaviors you mention.

    A similar parallel many of us can relate to is tool development. When a person develops a tool, that fulfills many of the same needs. What you often see is people trying to push that tool into doing other things it might not be a fit for, or “finding” reasons to use it when other techniques or tools would be better. It’s over application of the tool just like an analyst might over apply their theories in the sense you describe.

    All told, this all boils down to a pretty complex set of emotions and behaviors, and there are more than a few viewpoints on this.

  2. Boorish Leo

    Mr. Robot much? This issue should not happen in a work environment that has a healthy indoctrination program and continuous support that unrestricted economic warfare is not okay.

  3. bless

    Interesting post, thank you.

Leave a Reply

Powered by WordPress & Theme by Anders Norén

%d bloggers like this: