Story image

Threat fatigue and the failure of cybersecurity

10 Oct 2016

There was a recent U.S. National Institute of Standards and Technology (NIST) study titled “Security Fatigue” that was released regarding people’s experiences with online security. Though it had what we would consider too small a sample size to have statistically significant results, we did agree with many of its findings regarding the cybersecurity attitudes of people globally.

There is a form of growing desensitisation to the daily reports of cyber hacks and threats to the degree where some have begun to wonder just what is the point of cybersecurity practice at all. We already find anger and frustration with users when security teams become “Dr. No” to every project because of the security controls required.

Then when the controls are put in place, they are awkward to use and hard to understand. Customers become angry with the countless passwords that must be remembered or the apps that must be run to get additional authentication factors.

“User-friendly” and “security procedure” are mutually exclusive phrases for many, and this only adds to the perception that security is just a hassle. Once you add the results of cyber attacks reported in the media and our apparent inability to stop them, an opinion begins to evolve among many.

People and organisations see what’s happening when cyber compromises occur, know friends that had it happen to them, see companies that take a whack and keep on ticking, sigh and say “it’s just a part of everyday life now, let it go”. If they’re really clever, maybe in the process they even create a new way to make money from this attitude, such as cyber-insurance.

This is the same position that even very intelligent engineers who (for example) build power networks and transportation systems have. Many of those engineers believe that they’ve engineered enough protected redundancy into their systems that they don’t need the hassle and instability that adding security controls brings to the systems, that applying technologies for these controls destabilises reliability anyway when you try to integrate it with current production and operations of those systems.

I wonder if even the “Event” would change this: a nuclear-level incident that so disables a company (remember Sony?) or an infrastructure (remember Saudi Aramco?) or society (hypothetical devastating week-long attack on Facebook) that it changes behaviour, attracts regulation, and changes society as we know it.

When it comes to cyber technology, it appears that we are a reactionary society. This may be due in large part to the calculus of risk, reward and cost. We play out a vast poker game in business and society whereby we know (or think we know) the odds but call the hand anyway.

This strategy is actually not a bad one in a free enterprise market– as long as you have all of the data you need to make a good decision about the risk vs. the reward. I fear that we aren’t doing enough to have that data available to make the right decision about what poker hand to play.

I also believe that we don’t perform the “minimum acceptable standard” for cybersecurity that would help us avoid so many of these incidents, even though history proves time and time again the vast majority of attacks were due to stupid oversights, easily corrected.

This is a cynical view of the role of cybersecurity, but when year after year the hacks persist and grow, when we fail to match the quality and scale of attacks perpetrated on our systems and people, when we make only modest strides in maturity and usability of software and services that are supposed to provide safer and more secure businesses and lives, it isn’t hard to understand why this cynicism exists.

A culture that consumes significant technology appears to have found the rightful place of security in their attitudes, behaviours and norms, and that isn’t at the centre, or integrated, but at the margins or not at all. From this perspective, cyber threats are noted, and in some cases where there are considerable risks to profit (in the form of loss of money, identity, intellectual property or production) some steps are taken, but those cases are exceptions more than the rule.

Things have “gotten better” from a security point of view over time as companies show more maturity and improve their security stance, but it is slow, slower than it should be when compared to the pace of innovation and change.

The evidence that threats or impacts are greater doesn’t appear to be compelling, or compelling enough to average citizens and even savvy businesses, not compelling enough to alter the poker playing habits still underway today. We’ll see in time if we overplayed our hand.

Article by Earl Perkins, Gartner Blog Network

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.