Go back Threat Intelligence

What is Alert Fatigue in Cybersecurity?

By Content Team on May 7, 2024

The concept of alert or alarm fatigue describes a phenomenon where people — especially in busy work environments — become desensitized to security alerts. As a result, it is almost certain that a critical alert will eventually be ignored, putting the business at risk.

Humans intuitively filter out noise. We are tuned to notice the unusual. When alerts or alarms are constant, it becomes difficult for us to feel that any of them will be particularly important. That is when critical alerts will be missed.

While not exclusive to cybersecurity, alert fatigue has become a major concern in this field in recent years.

Research from Forrester published in 2020 found that security teams received an average of 11,000 security alerts daily, a volume they were not equipped to handle. For this reason, 28% of alerts are never addressed.

An IDC survey from 2021 reached a similar conclusion, finding that analysts ignored 23% to 30% of security alerts. Mid-sized organizations with 1,500 to 5,000 employees fared worse than smaller or larger ones.

Another March 2023 study commissioned by IBM surveyed security operations center (SOC) teams to investigate what was holding them back. The responses revealed that on a typical workday, SOC team members only review 49% of the alerts they should.

These data are also related to cybersecurity professionals' top complaints regarding job satisfaction. According to the 2023 ISC2 Cybersecurity Workforce Study, 31% of professionals feel they have too many tasks, 30% say they are overwhelmed, and 25% believe their teams have inadequate resources to protect the organization.

When analysts rush to get through an endless list of alerts or events, it is easier to make mistakes or completely disregard something important.

 

What is a Cybersecurity Alert?

The nature and volume of cybersecurity alerts can vary significantly, being one of the reasons why alert fatigue has become a problem in the industry. Activities that may generate security alerts include:

  • Network: Data traffic spikes, including web, email, and others. Businesses may monitor this activity to detect data exfiltration, attacks, or suspicious activity, from distributed denial-of-service (DDoS) to vulnerability scans.
  • Application: Numerous login attempts, unusual activity from certain users, or alerts from web application firewalls (WAF).
  • Cloud: Cloud computing infrastructure is backed by a cloud security posture management (CSPM) solution, which notifies security teams of changes or other suspicious behavior.
  • Service Outages: Security teams need to know when services become unavailable. This might be a cyberattack or another event that requires their attention (hardware or connectivity failure).
  • Endpoints and Malware: Malware scanners or extended detection and response (XDR) solutions often produce a large number of alerts about malicious files or detected behavior on corporate devices. This may include ransomware alerts.

Interestingly, different security solutions or assets can produce each class of alerts, but certain technologies span multiple assets. For example, network activity alerts are often generated by firewalls or intrusion prevention systems, while data loss prevention (DLP) software can be present in several layers (endpoint, network, or cloud).

As companies implement more solutions to gain better visibility into their IT infrastructure, security teams become increasingly overwhelmed by the number of alerts they generate. It is up to them to correlate different alerts and their sources to form a cohesive understanding of what is happening.

Security information and event management (SIEM) solutions can organize and consolidate all these alerts in one place. However, this does not necessarily solve the problem. Integrating every alert into the SIEM without considering its severity or quality will only provide more visibility and worsen the problem.

 

What Causes Alert Fatigue?

If all alerts were serious and valuable, ignoring 30% of them would surely cause immediate damage. Most businesses do not fall victim to criminals or intruders every day — even if hundreds of alerts are ignored.

While it is good that most businesses manage to protect their core operations every day, the fact that so many alerts can be ignored indicates a lot of noise in these warnings. If an organization eventually finds itself involved in a cybersecurity incident, it is likely that only a few critical events were missed.

When security systems repeatedly warn about events that pose no concrete risk, it soon becomes clear that paying attention to them wastes time. In some places, this can be observed with car alarms — they are triggered by mistake so often that people rarely remember they are supposed to prevent theft.

Alerts will contribute to fatigue when they contain:

  • False Positives: These are outright incorrect. They might happen due to misconfigurations or bad detection signatures (such as in antivirus or intrusion detection systems). This is a very serious problem and will quickly breed distrust of any future alerts from the same source.
  • Non-threatening Events: Some security tools continuously generate reports about normal operations or are unable to flag more critical events for prioritization.
  • Duplicated Warnings: A single event can cause multiple alerts to be triggered, either simultaneously or over time. An analyst might disregard an alert as a duplicate or as related to an incident that is already being addressed.
  • Insufficient Information: Some alerts simply lack context or relevant information. Even when it might be possible to piece everything together using data from other events or logs, these could have been assigned to a different person or team, or established processes might make it difficult to obtain the required context.

The Risks of Alert Fatigue

When security team members start experiencing alert fatigue, the team first feels the consequences.

Alert fatigue can affect the team's morale, leading to high turnover or burnout. If the business responds by hiring more professionals, the high workload from unnecessary alerts, although ineffective, can be very costly. There is no guarantee this will completely solve the problem, as analysts will still require significant time to process each low-quality alert.

Professionals may use their ingenuity to adapt and filter out noise to a certain extent. When this is not possible, they might simply lack visibility over the more pressing threats the business faces.

Eventually, the team will likely miss an avoidable incident or fail to quickly stop an ongoing attack. 

Therefore, alert fatigue undermines the security team's work. This can lead to a cybersecurity breach or a delay in detecting and responding to an incident, increasing recovery costs.

Cybersecurity breaches expose the company to reputational damage, legal costs, and revenue loss due to disruptions (such as those caused by ransomware) or lost sales.

Some cyberattacks cause direct financial damage by impacting payments, services, or products.

 

How to Make Alerts Relevant and Reduce Fatigue

Every security platform generates alerts. However, care must be taken to avoid investing in solutions that may cause alert fatigue or worsen the situation for a team already dealing with this issue.

To ensure alerts are actionable and relevant, tools should be able to do the following:

  • Prioritization: Alerts must be categorized based on severity so that more serious problems can be addressed first. Timely response can be the difference between preventing an incident or recovering from an intrusion.
  • Automation: Responses should be triggered automatically. If the response can be automated (e.g., resetting a password, restarting a service, reprovisioning a resource…), even better.
  • Correlation, Insights, and Summaries: Related alerts should be automatically grouped or turned into insights that are more valuable than warnings about isolated events.

Axur builds its solutions to be smart and solve problems without creating noise for security teams. Our External Cybersecurity Platform manages 86% of its detection events without manual intervention. Meanwhile, the DeepChat interface for our deep & dark web monitoring uses generative AI to produce a concise summary of potential threats, reducing the need to manually review each detection.

Polaris, our next-generation threat intelligence platform, was built to enable teams of all sizes to leverage threat intelligence and AI in most tasks. It was built from the ground up to produce actionable insights and tailored threat summaries. Of course, it can also recognize critical events and prioritize them accordingly.

With powerful insights at their disposal, analysts can make data-driven decisions and fine-tune other sensors and tools with the latest information on each threat relevant to the business. This leads to better workflows and a smaller but more accurate queue of alerts requiring human attention.