What Is Cyber Vulnerability Fatigue and What Can Organizations Do About It?

What Is Cyber Vulnerability Fatigue and What Can Organizations Do About It?

You’re part of a cybersecurity team responsible for ensuring the security and integrity of your company’s network and IT infrastructure. Day in and day out, you put out virtual fires by monitoring the network, logging alerts, and fixing them. The alerts keep coming from all sides as you use different systems.

At some point, you’ll feel overwhelmed by the sheer number of things you need to monitor and fix. Eventually, you get tired by the tedium and the cycle, feeling that you don’t have the power to effectively stop these intrusions so you ignore a growing number of issues or vulnerabilities during the early stages, not realizing that this is just compounding problems that could potentially lead to a catastrophic disaster.

The feeling of helplessness and resignation over the task of protecting IT infrastructure is a very real phenomenon called cyber vulnerability fatigue. This may sound like a one-off kind of situation but, the reality is, it’s not. A study conducted by Cisco in 2019 showed that 42 percent of all respondents admitted to experiencing a form of cyber vulnerability fatigue. This figure rose by 12 percent from the previous year’s study.

Vulnerabilities come in all forms

The reality of the digital age is that cyber security vulnerabilities will never end, but instead, will keep rising. By the end of 2020, around 18,000 vulnerabilities were discovered for that year alone, with a cumulative 180,000 plus vulnerabilities identified through the past three decades.

With the rise of remote work and work-at-home arrangements, cybercriminals are now more intent on breaking into networks and IT infrastructure because they have more avenues from which to mount their attack. This is a huge headache for cybersecurity teams.

Many forward-thinking organizations are trying to jump the gun on these criminals by applying various security policies to help stave off these malicious actors. One such strategy is implementing continuous security validation. Through this strategy, the cybersecurity team can determine the security gaps within the network and then get recommendations for solutions. CSV allows for the continuous stress-testing of a network’s security posture which ensures that the network is always secure.

Unfortunately, many organizations are still not integrating new technologies and security protocols that could help their cybersecurity team. There is a disconnect between the needs of the cybersecurity team to be able to function at their optimal best, and the perceptions of the decision-makers who approve the implementation of these measures. Thus, cyber vulnerability fatigue comes in.

The thing is, cybercriminals are aware of this fatigue and know that if they just keep plugging away with their attacks, relentlessly testing for vulnerabilities they can exploit, they could succeed because someone from the cybersecurity team will slip and make a mistake. It’s a war of attrition.

Technical challenges that cause fatigue

Vulnerability fatigue is not a new thing, and neither does it reside exclusively within the domain of the cybersecurity industry. Professionals in industries as diverse as healthcare, construction, oil and mining, air traffic control, and energy plants do suffer vulnerability fatigue, too. But the very nature of the cybersecurity industry increases the effects of vulnerability fatigue on security teams.

The reason for this is that vulnerabilities–either those that are real, malicious ones, and those that are considered as false positives—are like moving targets. Regardless of what type of vulnerability it is, this will still get flagged and as is their responsibility, the cybersecurity team needs to check it.

Vulnerabilities come from all directions. For example, something as mundane as a legitimate app can perform some strange things that security platforms could flag as suspicious behavior. Usually, programs that perform instructions that are seen as similar to what malware does will be flagged, and security platforms will usually not be able to distinguish from real malware and pseudo-malware behavior.

Another fatigue contributor is the “New Normal” situation of remote work that was mentioned above. Before the popularity of remote work, cybersecurity teams have a very clearly defined boundary to look for vulnerabilities.

It would all usually reside within the confines of the office network. They could inspect traffic that comes in and out of the network and assume that intra-company traffic moves within the safe boundary. But with the workforce scattered over a wide geographic area, and are outside of this safe perimeter, traffic inspection will often generate frequent alerts and false positives.

Interestingly enough, continuous security validation could also create many false alerts. By its very design, CSV will scan the network for vulnerabilities informed by the MITRE ATT&CK knowledge base of known adversary tactics. While this is an effective way of sweeping for malicious techniques used by cybercriminals, it generates alerts because other companies will be employing it, and if configured improperly, would also create false alerts in other networks, which is why you need reliable CSV providers.

Easing cyber vulnerability fatigue

Cyber vulnerability fatigue has a real physical effect on people that could cause burnout for the team, negative financial impact on the organization, and increased risk of security breaches. Organizations need to take this issue seriously. One way to ease fatigue is to invest in tuning and reducing alerts. Ensure your security protocols are configured so that it minimizes over-alerting.

Of course, given that vulnerability fatigue is a malaise that affects the whole cybersecurity industry, it falls on the industry itself to think of innovations that would further help cybersecurity professionals do their job more effectively without having to sacrifice their health.

Cybercriminals are constantly upping the ante in this battle for network access. It’s time for the industry to seriously tackle the problem of reducing the noise and not just locating the signal. By doing this, there will be better discernment of what are real dangers and what are imagined ones.


Cyber vulnerability fatigue is a real problem in the cybersecurity industry that affects a growing number of security professionals. It is the very nature of the work that causes fatigue. But it also falls on the industry itself to think of new innovations that would reduce the challenges that contribute to cyber vulnerability fatigue.

You May Also Like