Extended Vigilance and Security Fatigue

It seems like we are being barraged with a never ending string of news stories about cybersecurity events, breaches, and lapses.  Often these stories will provide helpful tips or advise us how to avoid or recover from these security incidents.  This author, in our own humble way, is contributing to the constant ringing alarms about cybersecurity.  Maybe it is getting to be too much.

I was providing computer support for a permit-to carry firearms instructor recently, and one of the slides had a color code matrix that was developed by handgun expert Jeff Cooper.  Then I saw the same matrix mentioned in a post from Bruce Schneier in his Crypto-Gram newsletter.  This is how the matrix applies to a cybersecurity environment.

  • Code White – you are unprepared and unready to take action. If you are attacked in a Code White state you will probably be overcome unless your adversary is totally inept.
  • Code Yellow – you bring yourself to the understanding that you may be in danger and that you may have to do something about it.
  • Code Orange – you have identified the threat or adversary and are prepared to take action to protect yourself and overcome your adversary.
  • Code Red – you are fully engaged in an an effort to overcome your adversary and survive the encounter.

I find myself spending more time living in a Code Yellow state of mind, with occasional trips to Code Orange, and I suspect that you may have the same problem.  Unfortunately, we are not equipped, physically, mentally, or psychologically, to spend the majority of our time in this state of hypervigilance.  It increases levels of adrenaline, and causes stress and fatigue.

In the story about the boy who cried wolf, because his alarms were proven to be false, eventually people stopped paying attention and when the wolf really attacked, nobody responded to his call. But what happens when the wolf really is attacking all the time?  Do people finally get to a place where they are just too tired or too overwhelmed to respond, with the same result?

In a cybersecurity context, what this means is that we are dealing with too many potential threats, false positives, and actual attacks, and can’t function in an efficient manner.  This eventually will cause us to take our eye off the ball, lose our focus, and make mistakes that could prove to be costly.  Schneier says:

“…actual attacks are rare. The person walking towards you on the street isn’t an attacker. The person doing something unexpected over there isn’t a terrorist. Crashing an airplane into a sports stadium is more suitable to a Die Hard movie than real life.”

We need to relax.  While it is important to be vigilant while using your computer online, it is more important to disconnect, detach, find a safe place to engage in risk-free activity with people you know and trust. Meditation, yoga, or Tai Chi might help – seriously!  If you are feeling overwhelmed, just closing your eyes and taking a few deep breathes can help.  While it is important to keep your eye on the ball, make an effort to make some quiet and safe space for yourself every day.

More Information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.