Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

01:00 PM
Sara Peters
Sara Peters
Edge Features
Connect Directly

Beyond Burnout: What Is Cybersecurity Doing to Us?

Infosec professionals may feel not only fatigued, but isolated, unwell, and unsafe. And the problem may hurt both them and the businesses they aim to protect.

(page 2 of 4)

'Yelling Into the Chasm'
When the worst happens – a breach or a DDoS – CISOs must be the superheroes (or, perhaps, the anti-heroes). Not only do they fix the problem, they also take care of everyone who's feeling the pain and quite possibly serve as the sacrificial lamb after all the hard work is done.

And yet many CISOs and security managers spend more time playing bogeyman than superman – or at least that's how their end users would see it, terrifying them with horror stories, warning them about the costs of violating privacy laws, and pleading with them to be wary of every email, every caller, every text, every website, every link. Testing them with phishing simulations. Even threatening them with loss of their jobs.

However, focusing on fear, uncertainty, and doubt in end-user security awareness messages can actually make those messages less effective, as Dr. Jessica Barker, co-CEO and co-founder of Cygenta, explained in a recent keynote session at RSAC.

"If you just go heavy on the threat, and you don't tell people what to do about it, or people don't feel confident in what they can do about it, they just engage with the emotion," Barker tells Dark Reading. "They engage with the fear, not the actual danger."  

Compounding the problem is users will then worry that if they make a mistake – fall for a business email compromise, click on a phishing message – they'll face dire consequences. (Thirty-one percent of the C-suite executives who responded to Nominet's report stated that if a significant security breach occurred, the "accountable employee" would have their employment terminated.)

In these kinds of situations, end users "don't feel that kind of psychological safety to make a mistake," Barker says. "So I always find that kind of culture in an organization of course just drives incidents underground. It doesn't stop people clicking on links or whatever it might be. It just makes them less likely to report [attacks].

"The more you promote what someone can do about the scary thing, the more you empower them with that [information], the more you give them the tools to actually respond to [a threat], and of course the more likely they are to actually act on the message."

Barker gives the example of how providing users with easier identity management or a password management solution makes it easier for them to respond to your warnings about password misuse.

But, of course, security professionals don't always have the budget to implement the tools they know end users need. And security researchers can't force anyone to take their good advice.

Being ignored or unsupported may lead to feelings of frustration and even isolation, experts say.

"Sometimes I feel like I'm just yelling into the chasm," Malwarebytes Labs' Kujawa says. Regardless of what he and his fellow researchers are seeing threat actors do, many security habits and enterprise defenses don't necessarily change. The "hubris," he says, exhausts him the most.

This sort of frustration, Barker adds, "contributes to this narrative that we've seen of 'people are the weakest link,' which just creates more and more divides and makes it much harder, I think, for us to have positive conversations with our colleagues."

"Fear and uncertainty and doubt are known core tenants for anxiety, which is a source and type of stress," says the NSA’s Paul, "and that fear can come from anything. It doesn't have to be a bad something on the other side of the wire; it can be a fear of failure.

"That fear of failure is certainly something that we [at the Agency] manage with, because we're in a high risk, high reward environment," she says. "Our operators are very aware of what the cost of failure is. And, you know, we always balance risk, but when you're so committed to the mission, sometimes you personally take on more than what you're actually asked, just because you want to see success and you don't want to fail no matter what."

Carey of Reliaquest says he is a low-stress guy. Coming from a military background, he understands that protecting data is less stressful than protecting lives – however, he says, for infosec professionals in healthcare or critical infrastructure, protecting IT systems and protecting lives may be one and the same.

(Continued on next page: 'I Began to Question Everything')  


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
2 of 4

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
These Kids Are All Right

Source: StaySafeOnline.org

What security-related videos have made you laugh? Let us know! Email us at [email protected]

Name That Toon: Before I Go ...
Flash Poll