Cybersecurity awareness versus IT security fatigue
Thanks to the diligent efforts of the Department of Homeland Security, the National Cyber Security Alliance, and the Multi-State Information Sharing and Analysis Center a 13th annual campaign to educate end-users about the dangers of cybersecurity has kicked off this month again.
The noble goal of the “National Cyber Security Awareness Month” campaign is to better educate end-users about the perils of IT security in much the same way governments around the world have for decades educated their citizens to better protect themselves from any number of communicable diseases.
Of course, not every arm of the government is always aware of what the other arms are doing when. It turns out that the National Institute for Standards and Technology (NIST) chose this month to issue a report that finds that most end users are suffering from a bad case of IT security fatigue. Basically, the report concludes that the number of alerts end users are receiving about potential IT security issues has exceeded their ability to be effective. Faced with a choice between an alert about a potential security issue that has become one of the hundreds they regularly encounter and actually accessing the content they find of interest; the latter almost always wins out over the former.
Naturally, end-users are not the only victims of IT security fatigue. IT administrators are regularly subjected to thousands of alerts in any given week. Most of those alerts wind up being of little to no consequence. The trouble is that IT administrators become inured to them. Before too long they stop paying attention to them altogether until that one day comes when an alert they ignored turns out to be the only advanced warning they ever got about a malware infestation that is now wreaking havoc across their IT environment.
IT vendors clearly need to do a better job wrapping context around these alerts. Today almost every alert is issued with the same level of urgency regardless of the actual risk. As well-meaning as that may be, it’s not too long before both end-users and IT professionals start to file those alerts alongside all the other cries about the wolf in their lives that they no longer give a second thought.
The good news is the combination of advanced analytics and Big Data should go a long way to improve the quality of the alerts being issued. But it may still be a while before advanced security analytics gets pervasively applied. In the meantime, IT security professionals are clearly losing credibility in direct correlation to the number of alerts being issued that turn out to false alarms. End-users intuitively understand there are risks associated with accessing the Internet. Educating them about those risks is a noble endeavor. Constantly reminding them via a stream of alerts that warn them that every action they take could potentially result in a cataclysmic security breach winds up being counterproductive.
Most people tend to be welcoming towards enlightenment. Telling them something they didn’t know that enhances the quality of their lives is generally seen as being helpful. Nagging them about things they already know, however, is always going to be viewed as just the opposite.