Last Updated on May 13, 2025 by Dave Farquhar
Today I want to talk about a concept called learned helplessness, something that was widely studied and taught in the 1980s, but seems to have fallen by the wayside a bit today, although I certainly see it happening today. Computer security, especially the fields of vulnerability management and patch management, are very prone to learned helplessness. The good news is, it’s possible to overcome.
How a professor induced learned helplessness in five minutes
There are many examples of learned helplessness, but an example that hit home for me was a video clip recorded sometime in the mid 1990s. It was recorded in what appeared to be a college or university classroom. The professor induced about 1/3 of her class into a state of learned helplessness in about five minutes.
The professor handed everyone a sheet of paper with three tasks on it. For half the room, the first two tasks were very simple. For the other half of the room, the first two tasks were impossible. Everyone received the third task. The third task was possible, but not as easy as the other two tasks half the room received.
The professor would tell the students to do the first task, tell them it’s not meant to be hard, and raise their hands after they finish. So half the room was finishing the trivial task in a matter of seconds and raising their hands while the people with the impossible task booked at their paper, looked at the rest of the room, and wondered what was going on. Then the professor said don’t worry about the first one, move on to the second one. Just get the second one done as quickly as possible, and then raise your hand when you’re finished.
The third task was where the magic happened. For the half of the room who had received easy tasks, the third one was considerably harder. But it was still possible. Not everyone who received the easy tasks finished the third one quickly, but most of them did.
On the other half of the room, about 1/3 of the students completed the third task. But 2/3 of them couldn’t finish the third task either.
At that point, the professor explained the experiment and told them it was a demonstration of something called learned helplessness. The amazing thing was that it only took two impossible tasks and a few minutes to make learned helplessness kick in.
Learned helplessness in animals
Learned helplessness happens in animals as well. My dog was an escape artist. She could open her crate herself. One time, she started trying to open the crate while I was still there, so I saw how she did it. So I started putting a binder clip on the latch so that she couldn’t bounce the latch open. After while, I didn’t have to put the binder clip on anymore. She stopped trying. That was learned helplessness.
Learned helplessness in test taking
But I’ve fallen into learned helplessness too. I experienced it studying for CISSP. I had 6 months to pass the test, and 2 months in, I was still flunking my practice tests. It was very difficult to break out of the pattern.
I experienced learned helplessness while I was taking the test too. The test messes with you. Mine started out with a difficult question, and the two questions after that were even more difficult. I wondered what on Earth I had gotten into. So I marked down those three questions for review, then found an easier question. I don’t know anymore if it was the fourth question or the 10th. But I went looking for a question that I knew the answer to, marked it down, then went and found another one, and built up my confidence, and soon found I was marking down fewer questions for review.
There were some people who handed their test in after 30 minutes. I once worked for a guy who claimed he could take the test and pass it in 30 minutes. He just retook the test every 3 years instead of tracking CPEs. But I could tell that wasn’t what my testmates were doing. They looked defeated. They may or may not have been ready, but they were definitely experiencing learned helplessness.
I was still experiencing it at the end of the test myself. I didn’t overcome it during the test, I just kept it in control enough to finish. But I still had to walk around the parking lot a couple of times before I could remember how to pick up my phone and dial it to call home. Simple, doable tasks like dialing a phone or even getting into the car and starting it no longer seemed simple.
The Wolfe-Spence aptitude tests
The other time I experienced learned helplessness when taking a test was when I took a Wolfe-Spence programming aptitude test in the late 90s. If you’re unfamiliar with that test, it mostly consists of math questions using a nonstandard order of operations and then changing it periodically. The combination of forcing you to ignore rules that have been drilled into you for your whole life and the ordering of the questions make it a better test of your resistance to learned helplessness than much of anything else.
The Wolfe-Spence test doesn’t lend itself to taking it out of order, but I’d advise you to read over the whole test first before trying to answer any questions, note the easiest steps, then go back through and read those easy steps first to warm your brain up before trying to take the test from step 1. That way it becomes a weird math test instead of a learned helplessness test.
Learned helplessness and vulnerability and patch management
I’ve seen people get into a learned helplessness funk in vulnerability and patch management too. You’re looking at a list of scam results. The sheer number of results may start you in that direction. More likely, you start looking at the results and that’s what sends you into learned helplessness. You look at the details of one result and can’t figure out what you’re supposed to do to fix it. So then you look at another one. And if the next one happens to be confusing too, then it doesn’t really matter how easy the third one is. If, like 2/3 of the general population, you aren’t resilient to learned helplessness, you won’t understand the third one either.
As the experiment I described in the beginning of this blog post demonstrated, it takes about two questions and only a few minutes to send you into a learned helplessness funk. And until we overcome it, we’re vulnerable to attacks like Wannacry. These don’t come along often, but when they do, the effects can be devastating.
Learning to read a Nessus scan is doable, but it is a skill that takes time. And until you master that skill, it feels about as hard as passing CISSP. I am not exaggerating.
Turning that funk into a groove
Human beings have a tendency to get stuck in ruts. When you’re stuck in a bad rut, we call it a funk or a slump. When you get stuck in a rut where good things happen, we call it a groove or momentum.
The question I get the most since I started working for vendors who sell vulnerability management products or services is where to start. I have no idea what the second or third most common question is. I’m so used to hearing where do I start that all of the other questions blend together. Don’t get me wrong, I can answer them. But don’t ask me to rank them.
The answer is where you start doesn’t matter very much. The problem is that you are stuck, and you are stuck because you haven’t built up enough wins to have confidence. The most important thing is for you to find something that you can fix, fix it, and then move on to something else. Fixing vulnerabilities in the worst possible order is still infinitely better than not fixing them at all.
There is absolutely nothing wrong with approaching a vulnerability scan the same way I approached that CISSP, skipping questions until I found one that I could answer, and then using what I learned or recalled from the process of answering that question to help me answer some other question, and then repeating through 250 questions until I didn’t have any questions left.
Finding easier vulnerabilities to fix
Here’s a hint for finding easier ones to fix. There is no correlation between severity and how easy or hard it is to fix. But you’re likely to find the items from the current or the previous month are easier to fix than older ones, because the fixes are more likely to be readily available. New updates can also clear older items in the list that they supersede, so deploying newer updates tends to give a better return on effort.
Most security professionals will tell you to fix higher severity items first, or riskier items first. But until you have some experience under your belt, you’re going to find that more difficult than fixing the newest items first. I speak from experience. I fixed about 800,000 vulnerabilities before getting out of the sysadmin business. The way I learned how to fix that many vulnerabilities was by fixing the newest, easiest stuff first, then working my way up to the older, tougher fixes. Fixing the tough stuff first is like asking someone to take CISSP and then get Security+. You start with the easier test first.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.