We can’t risk losing staff to alert fatigue

The oft-quoted Chinese military strategist Sun Tzu famously claimed: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Exchange “battles” for “cyberattacks”, and the maxim will hold.

But too much information is as big a problem as too little, leading to confusion, poor resource allocation, and staff churn.

What is alert fatigue?

The fast pace and wide scope of cybersecurity makes this a real issue—there is almost no limit to the amount of information available. Feeds, emails, and security dashboards can throw up all kinds of relevant information. These can be new vulnerabilities in software, new patches to fix them, recent exploits by active hacker groups or even recent geopolitical events that may change a risk to an organization.

It’s easy to fall into the trap of seeing all these alerts as potentially useful… because they are. Hackers may be changing their tactics to target new types of organizations or new sectors. A printer installed in a distant office might now be vulnerable to attack and need to be patched. It’s hard to get away from the idea that somewhere in an avalanche of alerts there is a nugget of information that will help keep your organization safe.

There is also the problem of false positives. Cybersecurity tools may alert the security team to problems that may not exist, such as normal network activity that is flagged as suspicious, or files incorrectly flagged as malware.

Information overload makes it increasingly difficult to find truly useful information, and important alerts can be easily missed.

The consequences of alert fatigue

When important cybersecurity information is buried in inconsequential noise, the results can be dire. Cybersecurity teams need to prioritize their resources and focus on the areas where they are at the most risk. If the important information to make the right choices is hard to find, then it’s far easier for this focus to be misdirected, increasing the risk of a security incident.

Similarly, false positives will quickly make security teams complacent. It only took the villagers two false positives in the fable of “The Boy Who Cried Wolf” to assume there was nothing to worry about the third time. We can’t expect cybersecurity teams to be ever vigilant when most of what they are dealing with turns out to be a false alarm.

But missing vital information and growing complacency are not the only problems alert fatigue can cause. Alerts are designed to put people into a state of readiness and awareness: “Be prepared to do something”. Alert fatigue doesn’t just make people complacent and bury important information in noise, it also creates stress. A little stress can be a good thing, but the constant stress of too many alerts can lead to employee burnout, and consequently to employee churn.

It’s recognized by many employers that being “always-on”, by receiving calls and emails outside working hours, or being able to check emails on personal devices, can add to stress and lead to ill-health. But the effects of the sheer number of alerts received is less recognized.

Fighting back

Employers, in general, do not want their employees to burn out. They do not set out to bury their cybersecurity team in an avalanche of alerts that creates risk and complacency. And, in fact, it may not be the employer’s fault, at least not directly. Cybersecurity teams want to have access to up-to-date and important information and will actively subscribe to services that provide alerts, as well as make sure that everyone receives alerts from their security tools so that action can be taken if necessary.

Cybersecurity teams do not need a firehose of alerts. They need actionable information—not just raw data, but something that can lead to an executable plan. Changing this means changing a security team’s entire approach to alerts:

• Education: Employees need to understand the nature and consequences of alert fatigue. They may have proactively subscribed to several services without understanding that this is doing more harm than good, and training may be the best way to get to grips with the problem.
• Share responsibility: When everyone is responsible for every alert, no one is. By giving specific teams members responsibility for certain types of alerts, they can focus on these and unsubscribe from others. Anything vital for the whole team can then be shared.
• Tune alerts: Tools and alert services can be tuned to make sure people are receiving the right information and at the right time. Are you sure your whole team needs to know when a hospital in another country has been attacked with ransomware? Can the number of false positives be reduced? Are alerts only coming in during working hours, accounting for time zones? Turn the alert firehose into a more palatable drinking fountain.
• Add more detail: It might seem a little counterintuitive to fight information overload with more information. But if alerts are better tuned to be more relevant and contain enough information to avoid the need for follow-up research, then more detail may reduce stress.
• Ensure alerts are actionable: Much more important than “what’s happening?” is “what needs to be done?” By dividing responsibility for alerts and tuning them so that only the most important are received, it’s far easier to turn these alerts into tasks to be completed, rather than useless information to worry over. Some intel services will include actions to take in their alerts, rather than just raw information—cybersecurity teams should consider whether an extra layer of expert analysis could save them time and stress. If not, even a simple traffic light system for priority can help.

Alert fatigue is more than just an annoyance, it turns the advantage of intel into a disadvantage by making security teams complacent, burying important information, and even creating enough stress to cause staff turnover. Unlike many issues, it’s not always a top-down creation, with cybersecurity team members causing their own stress through a desire to be more informed. To stand a chance of fighting alert fatigue, education and buy-in from the teams affected is vital.