Decision Making Under Stress

Technology rarely fails in isolation, and so security incidents are often described in technical terms.

Systems are compromised, controls are bypassed, and alerts are generated. These descriptions are accurate, but they are incomplete. The way an incident unfolds is influenced as much by human decisions as by technical events.

Once an incident is detected, technology provides signals. People interpret those signals, decide what matters, and determine what happens next. The quality and timing of those decisions shape the outcome.

Pressure changes how decisions are made

During an incident, normal working conditions no longer apply. Information is partial, time is compressed, and consequences are unclear. Decisions that would usually involve consultation and analysis must be made quickly.

Under these conditions, individuals rely on experience, instinct, and whatever guidance is immediately available. This is not a failure of process; it is a human stress response.

“Incidents are shaped less by tools than by the quality of decisions made when information is incomplete.”

Roles become blurred at critical moments

Incident response plans often define roles clearly on paper. In practice, those boundaries can blur. Senior leaders may become involved earlier than expected. Technical specialists may be asked to weigh in on business risk. Responsibility can shift rapidly as new information emerges.

When roles are not reinforced under pressure, decision-making can slow. People hesitate, unsure whether they have the authority to act or escalate.

Communication becomes a constraint

As more stakeholders are involved, communication complexity increases. Updates need to be accurate, timely, and appropriate for different audiences. Misalignment between technical detail and business understanding can create friction.

When communication channels are unclear or overloaded, decisions are delayed. This delay can have a greater impact than the technical issue itself.

Experience matters, but only to a point

Teams with incident experience often respond more calmly. They recognise patterns and know which signals to prioritise. However, experience does not remove uncertainty. Each incident has unique elements that challenge assumptions.

Relying too heavily on past incidents can be misleading if environments or threats have changed. What worked before may not apply now.

When training and plans are not enough

Training exercises and documented plans provide a foundation. They familiarise teams with procedures and expectations. What they cannot fully replicate is the pressure of a real incident, where reputational and financial consequences are tangible.

This gap explains why incidents can still feel chaotic even when preparation exists. The challenge is not a lack of effort, but the difficulty of translating preparation into confident action under stress.

Decision quality influences escalation

Escalation is often attributed to the severity of an incident. In practice, it is influenced by how quickly decisions are made and how confidently they are communicated.

Clear decisions reduce uncertainty. Unclear or delayed decisions allow doubt to spread. Over time, that doubt becomes a driver of escalation.

What organisations tend to examine next

Reflection often focuses on how decisions were made rather than on which controls failed. Attention turns to authority, communication, and the conditions under which people are expected to act.

These reflections are not about assigning blame. They are about understanding how human factors shape incidents and what supports better decision-making when pressure is highest.