Alarm or alert fatigue is much older than our current cyber-technology. It represents the state of de-sensitization to alerts due to their overwhelming frequency or number, and it was previously met in industrial environments. As the denomination suggests, individuals whose main activity resides in a different area than security feel extreme tiredness when exposed to an increased number of false or preparatory alerts, and the purpose of such alerts ends up in being completely contradicted.
Making and breaking habits – beneath alert fatigue
The purpose of training and drills when it comes to security and safety actions is to build-up the best habits. Once internalized, such habits would act as reflex gestures when and if needed.
However, when abused, such preparatory actions break the usual stimulus-response circle in humans and things tend to revert to the initial state: the stimuli are ignored, hence the training fails to meet its purpose. It all has to do with psychology and the way mind makes or breaks habits.
As a manager in an IT company where cyber-security alerts are perhaps a regular habit, one should take care and notice when alert fatigue takes its toll, conduct an audit on the amplitude of this phenomenon and its causes and remedy the situation by resetting the entire alerts system. Refining and personalizing the notifications, as well as reconsidering their frequency are usually recommended.
While in healthcare IT alert fatigue attacks on a double front (the patient-clinician data flow and the actual IT front, where the risks and vulnerabilities of digital data increase by week), other fields are more shielded from a continuous flow of alerts, yet they also stand the potential of employee de-sensitization if the necessary interventions are not performed in the right manner.
Therefore, tuning the alert and information flow to best suit your employees is the secret in avoiding overstepping the pedal and in not making the entire action a complete failure.
A seven-step model in keeping alerts efficient
CSO recently approached this matter in an article that recommends seven ways to avoid alert fatigue. Here are the recommended steps:
- Give context to all alerts so they can be easily understood (and also provide the source and a simplified, easy to grasp shape for all the data);
- Take care not to double information – reduce and consolidate the alerts; avoid redundancy;
- Establish continuity by streamlining security functions into a single place;
- Adjust thresholds in order to differentiate minor alerts from major ones in a clear manner;
- Make sure the right targets are covered by previously establishing which persons need to get which alerts, in a mutual manner;
- Personalize/customize alerts and make sure you are not inappropriately disturbing people with non-urgent alerts, otherwise the more important ones will end up by being ignored;
- Re-adjust the alerts schedule and delivery methods from time to time in order to keep up with recent developments and needs (also by common agreement with the receivers).
The automated solution
Since the reality proves that there are too many alerts and not enough time and resources in most of the scenarios, specialized service providers have come up with the idea of automating cyber-security investigations.
Basically, an intelligent, automated software pre-analyses the alerts before sending them to the human analyst, provided such a software is correctly configured to efficiently sift through the raw package of alerts and identify the ones that need human intervention.
Here is an example of such a tool, explained. An automated tool acts as a buffer between IT systems, (which provide un-selected alerts, sometimes high numbers of them), and the cyber-security team or the persons designated to perform this function inside companies, allowing only the real, important events to generate notifications that would end up on the desk of your cyber-security manager. Such a functionality diminishes alert fatigue.
Another improvement when it comes to automated cyber-security tools consists of the capacity of viewing security incidents in the context of the entire enterprise system and in a coherent, consistent timeline. When the alerts directly reach individuals, they either find it hard to grasp the overall context due to the fact that they are only a part of your team, or they simply find themselves incapable of correctly processing the high volume of information.
That is why bigger companies at least (but also smaller organizations) might find such tools to be extremely useful and in fact to be a worthy investment.
Assessing the needs
As in many other enterprise internal issues, admitting and facing the problem is the first step in the right direction. Once you have noticed that alert fatigue is leaving its mark on your personnel, a balanced, realistic assessment of the situation is necessary.
Are your systems misconfigured? Are too many alerts send out, or do the notifications come in too frequently? If not, what can be done downstream to improve the awareness and the people’s responsiveness? Only by designating the correct factors to take part in this discussion you will be able to find out what is actually going on. Being able to asses the situation correctly helps in finding efficient solutions.
Perhaps you will discover your alert fatigue problem is simply triggered by the default (or improper) setting of your system alert tools – this would be the easiest factor to remedy. Simply decide how to configure your tools when it comes to selecting events and related alerts – a few focused meetings with your key cyber-security employees should solve the matter. Alternatively, if you employed external specialized services, call your provider and talk the matter through with the designated people – they should be able to intervene and improve your internal alert system.
