Lulz&Profit

Layer 8½ June 14, 2026
Source

Story Time

Picture this: You are young. And the world is not providing what you need. It's a drag. But not today. Oh, today is different.

Your phone lights up. It's go-time. The crew is assembled. Your rig switches from blue to purple. You sit up in your gaming chair. Headset on. Voice chat is open. Someone is already sharing their screen, discussing tactics. You know your opponent already; you were studying them for weeks. Someone is chewing something noisy and gets his verbal beating accordingly.

Your stack of energy drinks is on hand. The rest of your room disappears in the new room you're entering mentally. Game face on. Today, you are the support. You know what you have to do. They wont know what hit them.

The voices become quiet. The caller hits his first number, while the others keep their eyes on their notes, the intranet, the slack channels. You already know enough off the guy's LinkedIn. A walk in the park really.

Time loses its meaning. Everyone providing running updates on the campaign. Listening closely as the target remains unconvinced still. You build out the pretext in real-time; hammering hints in the chat. You are focused. Your brain is overclocked.

He won't break with this method, try this instead. HR mentioned this just last week, build on that. Now: more pressure! It is sooo urgent, come on! Got it! The dopamine kicks in full throttle.

The password was reset. Next phase, quickly now. You know what your job is. You try both approaches. This one's not it, we'll stick to the other one. Sip of energy. Shut the admin out. Get the database. Great job! It's not quiet anymore. Everyone's boasting! You are unstoppable. Let's see how long it takes until you hit the headlines.

Will they pay? If they don't, someone else will. That's a win any way now. You provided your skills. You learned so much this session, too. What worked, what didn't. Next time will be even smoother. Damn, you're good. Everyone was just so good.

Phew! When was the last time you had that kind of fun at work?

A man in a shirt and glasses (It's Chidi from The Good Place) says to his smiling buddy: "I haven't been this happy since, oh wow, I've never been happy. Bad!"

The Problem

You might have already made the conclusion that I drew a scene of the Advanced Persistent Teens in action, who managed to pop many an org in the last two-ish years. Despite the whole cybercrime stuff we have to acknowledge that they do some things right. It probably is not just the money that motivates them. It is most likely a mixture of peer recognition, dopamine and sweet new money. Pwning orgs for lulz and profit.

And besides having these very strong incentives they also employ methods to stay on top of things. Filling gaps in individual and team knowledge on the fly, sharing tools and techniques, learning from own and other mistakes. And I think, there is something to learn here other than: Do cybercrime and do time.

In many organisations the economic and corporate pressure is that immense, employees are working more or less in isolation with creativity and learning brought down to almost zero. Do your job, make the numbers go up, don't cause trouble, don't click on links in emails, btw. here is our new policy on AI tools, just click the link.

I'm on the team that says: AI is going to help cybercrime more than defender in the near future at least. A bigger issue in my opinion is the professionalization and operationalization like Phishing/Malware/Ransomware/etc.-as-a-Service, the whole Initial Access Broker market etc. And somewhere in between these two sits this culture thing. It's not just, that the working culture of the criminals is really that good. Many organizations employ a very bad working culture, often depending on the old Shaming&Blaming™. And renaming HR to People Team is not doing a better job. Same for swapping people for LLMs. And this adversarial advantage will not be met well by making phishing simulations more realistic and individualized. This issue will take some work.

A man in suit and bowtie and glasses (Michael from the Good Place) says: It's gonna take a lot of work, but the work is the fun part, guys.

Security as a cultural issue

You'll read that again and again on this blog: Security is more than shiny tech and sweet sweet policies. We do find human error in technical and non-technical teams. The differentiating factor is the culture. We'll have to dig into that term a little deeper, but that's for another post. For now, let's focus on one specific factor that is essential for a good security culture, that might also be good for profit and employee satisfaction.

And that's psychological safety, which basically just means that you can trust to not be punished, blamed, shamed, mocked, belittled etc. for making mistakes, pointing out issues or asking questions, even several times. When people can expect psychological safety, they are way more likely going to point out issues, feel that their engagement matters, gain interest in improving things, clearing up uncertain processes and giving feedback on which tech and processes work sufficiently and which do not. The latter almost certainly leading to shadow IT/AI/Processes.

When someone asks the same question for the fourth time, that shouldn't be viewed as nuisance. This is a signal. Either the answer wasn't clear, or the process isn't. Answer it again, plainly, without an audible eye-rolling. You risk leaving people in a state of hesitation and doubt until, after hours of grinding thoughts, they do the task, but wrong.

This might also hint that, what is good for security in this regard, is also good for quality, which will make your Quality Assurance Officer happy.

Employing a culture of psychological safety will also improve employee satisfaction, because less fear does that to people, but also it improves the way teams work together. And working together effectively, see the storytime in the beginning, is fun.

Mind, the Gap

This is, however, easier said than done. We are heavily biased to work isolated and than spending time in meetings that could have been emails or just not at all. We tend to be annoyed when someone asks about a topic for the fourth time or someone clicked on a link again. Or, when a CISO didn't prevent that cyberattack:

So, how should we go about to bridge that gap? You won't get budget for some fancy cultural improvement program probably. But you might start small and, as always, start with inventory. Start an anonymous survey, asking for the willingness to report attacks, mistakes (own, others, of superiors), issues with policies and processes that don't fit the reality of everyday work, or uncertainty in dealing with challenges. Make sure to include a question, whether or not questionees felt pressured to answer in a positive manner.

Improvement than has to travel down through management. Because this is, where Trickle Down actually does work. Use stories of mistakes and following improvements through group effort to drive that development further. This has to become part of regular meetings and such.

Make sure, though, that you follow up on instances of shame and blame and retribution thoroughly. You don't have to let people go for not applying psychological safety immediately. But you should follow up on such issues and make sure, that the situation is resolved in a constructive manner nonetheless. Because noone will believe your effort otherwise.

Ah, it's this people-stuff again isn't it?

A man in suit and bowtie (Michael from The Good Place) lays his hand on the shoulder of a man in a brown suit with a red tie (Shawn) and says: Let's try a new way, together.

We have to start somewhere, but we do have to start. We will need people who like to work in that specific org and we will need them to stay on top of technological and societal developments. And we will need them to do that together. Because the adversaries do that sufficiently.

They do it for lulz and profit.
The question is: When do we?

Discussion in the ATmosphere

Loading comments...