Alert fatigue or alarm fatigue happens to cybersecurity experts that get exposed to vast numbers of frequent alerts or alarms, consequently desensitizing them to the warnings. It results in longer response times or missing important alerts or alarms.
Apart from cybersecurity, alert fatigue happens in other industries, too, such as construction, mining, and healthcare. As in the story of the boy who cried “Wolf!” false alerts or alarms can rob critical ones of the importance they deserve.
Read More about “Alert Fatigue”
Alert fatigue is a genuine problem in cybersecurity, especially since it can lead to security personnel burnout and, consequently, real threats bypassing controls and causing compromises and breaches.
Before digging into the nitty-gritty of alert fatigue, let us get to the basics first by defining related terms.
Alert Fatigue 101: Definition of Terms
Here are some alert fatigue-related terms everyone should know about if they wish to truly know the answer to the question “What is alert fatigue?”:
- Alert: Any human-readable warning about a possible breach or compromise of a file, a system, an application, a server, or any network component that needs the attention and, sometimes, action of a security analyst.
- False positive: A security alert that incorrectly warns about a vulnerability that is not actually present.
Alerts Fatigue Facts and Figures
According to the report “The Impact of Security Alert Overload” published in 2019:
- Some 70% of security professionals investigate more than 10 alerts every day.
- Some 78% of security personnel stated that it takes more than 10 minutes to look into each alert.
- Almost 50% of security professionals said more than half of the total number of alerts are false positives.
- Some 35% of security personnel stated their security operations centers (SOCs) decided to hire more analysts or turned off high-volume alerting features on systems to prevent alert fatigue.
FireEye, meanwhile, said some organizations get more than 10,000 cybersecurity alerts a month, translating to more than 300 alarms each day.
Finally, McAfee reported that possibly due to alert fatigue, 32% of IT security professionals are ignoring alarms.
Causes of Alert Fatigue
Various experts have given thought to the possible reasons for alert fatigue, here are some of them:
- Too many alerting tools: 50% of organizations use six or more devices that each generate tons of security alerts.
- Lack of actionable intelligence: 40% of security professionals say the alerts they get lack actionable intelligence to investigate, preventing them from digging deeper.
- Too many false positives: 32% of security personnel say they ignore alerts because of so many false positives.
- Poorly configured rules: Rules that do not apply to the environment security analysts monitor can lead to too many false positives.
- Inadequately tuned rule management policies: Organizations succeed in cybersecurity when they regularly update system rules to keep pace with the ever-evolving threat landscape.
- Too many manual alarms: Companies can automate many if not all security systems to take care of alerts that do not really require manual investigation. They should take advantage of automation features to avoid alert fatigue.
- Lack of task rotation: The ideal task ratio for security analysts is 40:60. They should only spend 40% of their time dealing with alerts and the remaining for threat hunting, looking at threat intelligence to create advisories, and working on improving projects. Keeping them on a single task, particularly monitoring alerts, contributes to alert fatigue.
Avoiding alert fatigue, which can lead to compromises and breaches, not to mention lack of productivity or motivation, is possible if organizations prevent its causes.