The Psychology of Cybersecurity Burnout
As cybersecurity threats continue to grow, nearly every business now struggles with the demands of keeping their data secure. This places more pressure on all employees, from basic administrative staff to managers of dedicated cybersecurity programs. And people are burning out at alarming rates. Automation and AI are picking up some of the slack, but these novel technologies aren’t keeping pace.
Employees who are not focused on cybersecurity often feel that safeguarding procedures represent an undue impediment to completing their assigned tasks. And cybersecurity professionals must contend with an ever-growing panoply of alerts and crises — in the midst of a massive shortage of both workers and skillsets. Sixty-eight percent of respondents to a 2022 IBM survey of cybersecurity responders said they were often assigned to more than one incident at a time.
Overburdening employees with cybersecurity demands can result in a number of symptoms that ultimately signify burnout — cynicism, exhaustion, and diminished self-efficacy primary among them. Cynicism can result in dissociation from procedures that seem overly onerous or ineffective. Exhaustion, likely the most important consequence, results in a lack of mental bandwidth for dealing with cybersecurity procedures — and even with threats when they actually show up. And diminished self-efficacy means that employees feel their skills are insufficient in the face of a constant onslaught of problems.
Everything from constant requirements for authentication and password resets to more intense stressors such as staying on top of constant threats or observing rigorous regulatory protocols can result in burnout.
In other industries such as air traffic control, military operations, and medicine, the length of mentally taxing tasks is strongly correlated to the likelihood of burnout. Cybersecurity tasks are never-ending. More than one-third of the respondents to the IBM survey said that a response took up to six weeks.
The consequences appear to be reaching crisis levels in the industry. A recent Sophos survey indicated that 85% of respondents from six Asia-Pacific countries were suffering from burnout and 90% saw increases in burnout in the last year. A Cyberark survey found that 59% of cybersecurity professionals were burnt out. Mimecast found that 54% of professionals thought ransomware attacks were leading to deteriorating mental health status.
Even five years ago, two-thirds of CISOs were considering leaving their jobs and even leaving the industry according to one study. A 2023 Gartner report stated that up to half of cybersecurity leaders are likely to switch jobs in the next two years, with a quarter of that number leaving for entirely different roles. Similarly, Mimecast found that 42% were considering leaving in 2023, from one-third in 2022.
The cost is not just a human one. Organizations themselves are suffering because burnout ultimately results in lax security procedures and an increased likelihood of breaches. Just as burnout may lead to fatal complications in medicine or friendly-fire incidents during sensitive military operations, it may lead to breaches in cybersecurity. Gartner also found that nearly 70% of employees had bypassed security procedures. Sixty-one percent of the Cyberark survey respondents indicated that high turnover of employees might result in an incident.
Here, InformationWeek plumbs the literature on cybersecurity burnout and seeks insights from John Blythe, director of cyber psychology at Immersive Labs and Frank Gartland, chief technology officer at Skillable. Both companies work on cybersecurity training.
What Is Causing Cybersecurity Burnout?
The causes for cybersecurity burnout — fatigue, cynicism and diminished sense of self-efficacy — are multifarious.
“Psychological burnout occurs because of job demands that are too high. This can be too much workload, too much risk, stress or demands of the jobs — mixed with too few job resources,” Blythe suggests.
The cybersecurity landscape is incredibly complex, and the cybersecurity procedures implemented by a given organization are likely to vary significantly. However, a number of factors have emerged as being likely contributors to this mental health phenomenon.
Staff shortages are primary among them. With global deficits numbering up to 4 million, existing staff are expected to make up the shortfall. This occurs in an environment in which cyberattacks are increasing in number and severity, placing enormous pressure on cybersecurity teams and on non-cyber employees alike.
“It wasn’t just me, it was the team as well working. We just didn’t have enough of us. And then people leave and then it’s hard to find people to fill those roles as well that have the experience,” a respondent to one study is quoted as saying.
Anticipating developing threats is a further problem. Staff simply don’t have time to stay on top of the news and devise procedures that can deal with novel ransomware attacks or whatever else may be brewing in the attack space. “If I don’t get on top of this, it’s gonna be a problem for me and my team,” Gartland says. “So, we’re just trying to figure out: How do I learn something on the weekend or late at night?”
Cybersecurity professionals must be highly attentive to their work and conspicuous failures can often be traced to a single error, increasing the burden of responsibility on even low-level employees. The vigilance required of the job is equivalent to that required of air traffic controllers and medical professionals. People who strongly identify with those responsibilities are more likely to suffer burnout due to intense internal motivation to fulfill them even when it is not realistic.
“… Knowing the responsibility of being the responsible party for the client information, knowing that we would have to send the breach notification letters, go on the CMS wall of shame. It was a heavy responsibility,” said another research subject.
Gartland thinks that there may be a disconnect between the qualities that attract people to cybersecurity careers and the reality of the work. “I think that some of [the problem] has been the romance of it,” he says. People who pursue the profession may not be aware of the sometimes tedious and exhausting nature of the work. “There’s always this thing: We’re not good enough, no matter how good we are, how much we do.”
Frank Gartland, Skillable
Cybersecurity professionals scored lower on professional efficacy, or the sense that they are adequately executing their duties, than even frontline medical professionals, who also suffer from burnout at high rates. It can be extremely challenging to turn off that sense of obligation, even during periods where workers are not officially on the clock.
Poorly designed cybersecurity strategies exacerbate the problem. Solutions may not be sufficiently integrated, necessitating manual interventions to ensure proper implementation. Cybersecurity staff may be denied access to supposedly privileged networks and thus denied the ability to exert necessary controls.
And overly complex, repetitive procedures can lead to security fatigue — a sense that security is an obstacle to be navigated around in order to get work done rather than an essential part of work itself. Analysts may either attempt to shut down or circumvent alerts — known as discrepancy enhancing. Or they may attempt to keep on top of them despite their inability to do so — known as discrepancy reducing. Both are highly stressful.
Paradoxically, cybersecurity training itself may contribute to burnout, especially for people who do not work in cybersecurity but are required to observe cybersecurity procedures as part of their jobs. For example, one study found that training actually reduced the ability of subjects to identify phishing emails. Part of this may be due to habituation. Employees become accustomed to certain types of alerts after a period of time and view them as superfluous.
Excessive training may be a drain on cybersecurity professionals too, Blythe says. “Cybersecurity professionals are already often saddled with a big workload,” he observes. “The last thing they need to worry about is participating in old-school table-topping exercises, watching some video, or completing some multiple-choice certification. This can feel like a waste of time and just compound feelings of stress and anxiety.”
What Are the Effects of Cybersecurity Burnout?
Cybersecurity burnout can result in deleterious effects in both personal and professional domains.
IBM reported in 2022 that 67% of cybersecurity professionals saw negative effects in their personal lives. Some 95% of CISOs are overworked according to a 2020 survey and 90% would take a hefty pay cut if it meant a better work-life balance. One survey found that most cybersecurity analysts only lasted in their positions for a maximum of three years. Around 27% of employee turnover was attributed to stress according to a ThreatConnect survey. Alarmingly, 74% of CISOs reported that employees had quit due to stress in another survey.
This high turnover contributes to the problem both because it results in staff shortages and because the short tenures of many professionals do not allow for the cultivation of resilience in the face of constant threats. More than half of respondents to a DeepInstinct survey indicated that their stress increased due to deficiencies in their cybersecurity team.
These effects may be emotional or physical. Burnout has been linked to a variety of health conditions, including high blood pressure, heart disease and drug and alcohol abuse. Some have even linked it to suicidality. Depression and anxiety are also commonly reported symptoms. Fifty-eight percent of respondents to a Tines survey were taking medication for their mental health. Nearly one-third reported declining mental health in the past year. Some professionals have recognized the impacts on their lives and switched to other roles, either within the industry or outside of it, contributing to the staffing shortages that lead to some of these stressors in the first place. People who switched from incident response to consulting reported substantially lower stress levels.
The ways in which people react to cybersecurity stress depend on a variety of factors, ranging from personality characteristics to sex to age. People who score higher on agreeability — one component of the Big Five personality model — may be more likely to deal with cyberattacks in a constructive, useful way, for example. High scores in conscientiousness and openness may also lead to more positive approaches when job stressors intensify.
Women tend to have more emotionally intense reactions in the face of cyberattacks, resulting in anxiety, while men tend toward a fight or flight response — either higher aggression or a desire to avoid the situation. Advanced age correlated to more emotionally regulated, proactive responses. None of these demographic factors is necessarily predictive of a more useful response to cybersecurity stress of course — they are highly variable among individuals. People of all backgrounds possess the capabilities that lead to the most useful responses, namely being proactive and looking to solve the problem at hand.
Cybersecurity stress may result in two types of fatigue: attitudinal and cognitive.
Attitudinal fatigue leads to apathy and cynicism toward cybersecurity procedures and may affect whether employees are willing to observe them. An employee who is subject to repeated requests for verification and password changes or is required to monitor an endless stream of seemingly meaningless alerts is likely to eventually begin ignoring them — even ones that may be valid. This is especially true if alerts impede what employees perceive to be the end goal of their work. An International Data Corporation (IDC) white paper indicates that up to 30% of alerts may be ignored.
Cognitive fatigue results from the constant need to make decisions about incoming threats. When these threats turn out to be false alarms on a regular basis, an employee may resort to shortcuts in the decision-making process based on these patterns. This may result in missing valid alerts as well. One survey found that 41% of respondents felt they were not diligent enough in responding to threats because they were burnt out.
In general, burnt-out employees are more likely to miss obvious cues and make mistakes that allow cyberattackers to penetrate the network. They may disassociate from their work in order to protect their mental wellbeing or become overly mechanical in their execution of tasks. Nearly one-third of burnt-out employees surveyed by 1Password said cybersecurity procedures were not “worth the hassle.” While some have argued that work stress may ultimately be beneficial in driving workers toward better practices, it often results in suboptimal performance.
One paper indicates that people are far more likely to divulge sensitive information online when stressed. Indeed, cognitive hackers rely on such points of weakness. Some 95% of breaches are due to human error, according to IBM. Cyberattacks are often executed during the afternoon, when employees are most susceptible to the stresses of their workload. Risky behaviors have likely been further exacerbated by working from home.
The 2023 attack on Voice over Internet Protocol (VOIP) software 3CX, which resulted in widespread compromise of various systems, has been widely attributed to alert fatigue. Analysts ignored alerts that they initially believed to be false positives. Such incidents are living proof that the 75% of analysts who fear missing potential incidents by missing false positives are not being paranoid.
What To Do About Cybersecurity Burnout
The research on solutions to cybersecurity burnout is highly conflicted. While some experts believe that simple, common-sense steps may be able to reduce the effects cybersecurity demands on employees, there seems to be a sense that burnout will be an inevitability until the landscape itself shifts.
One of the more optimistic approaches suggests that implementing “human factors” programs may help to mitigate the problems that lead to burnout. These programs somewhat vaguely promise to alleviate burnout by implementing more stringent training programs that balance human needs with the demands of effective cybersecurity and adherence to regulations.
“You should assess each department within your organization to understand where weaknesses exist, and then implement programs to upskill employees in the specific areas where they are weakest. Programs should include outlining clear objectives, benchmarks and metrics for measuring progress,” Blythe exhorts.
John Blythe, Immersive Labs
Perhaps more productively, it has been suggested that greater attention be paid to the distribution of responsibility and to the concerns expressed by frontline workers. If workers feel that they are being unfairly burdened by excessive responsibilities and that additional mechanisms need to be implemented to ensure fair allocation of work, then they should be acknowledged.
“Set aside time where folks can just go research a specific cybersecurity problem,” Gartland advises. “Even if they don’t come up with anything, just give them time to spread their wings and beat technologists for a little bit.”
In one fascinating experiment, a computer science graduate was embedded in a cybersecurity program and observed how policies and practices affected employees using anthropological methodologies. Allowing employees agency and creativity appeared to be a key factor in alleviating burnout. Facilitating interactions that allow them to exchange ideas and teach each other enhances both employee well-being and the health of the cybersecurity program as a whole. Any program aimed at enhancing cybersecurity while mitigating burnout needs to factor in whether controls will disempower employees and whether freedoms will increase their likelihood of making costly mistakes. Rigid procedures may give workers the sense that they have no control over the situation and thus lead them toward apathy and cynicism.
Conversely, overly lax policies may lead to total disengagement and inattentiveness to valid cybersecurity concerns. Sometimes, very simple adjustments may be effective. Ensuring that onerous procedures are implemented in the early part of the day, when employees are less exhausted, may mean that they are more likely to be observed, for example.
It is a difficult balance to strike and one that requires detailed analysis of individual environments.
“Companies should be looking into tailored, more customizable approaches to engaging cyber resilience training — with the idea that one size does NOT fit all,” Blythe advises.
Automation may help to pick up the slack, handling simple problems and giving analysts the time and mental bandwidth to handle the more complex problems that are sure to arise. According to a Tines report, 66% of analysts felt that at least half of their work could be automated.
“There are very few things that are problematic from a cybersecurity standpoint where you can’t advance the ball a little bit, if not a lot, by implementing some form of better automation or some form of AI,” Gartland claims.
As discovered by the embedded analyst in the aforementioned study, automated procedures must be implemented after careful consideration: Analysts should reflect on their workflows and report which procedures might benefit from automation and which must be handled manually.
In the absence of real changes in cybersecurity programs that address human factors, programs like Cybermindz, an Australian initiative, are filling the gap. They offer mental health programs to cybersecurity professionals, designed with input from other cybersecurity professionals who have experienced the same problems.
Even informal stress reduction mechanisms, such as regular employee meetups that allow employees to vent to each other and swap coping strategies, may provide a useful outlet. Ensuring proper diet, regular medical checkups, and taking regular breaks may also have substantial benefits.
Blythe remains optimistic about the future of programs aiming to alleviate burnout. “We’re seeing a more people-centric approach to cybersecurity training, programs, and policies. Steps are being made to mitigate “blame culture” in organizations, and instead focus more on why a cyber incident happened in the first place, and how to prevent it in the future,” he says.