American View: Why Are Your Security “Alerts” Counterproductive?

Risk Management15 Apr 2024

I feel like I’ve reached peak alert fatigue. If you’re unfamiliar with the term, it’s what happens when people become so accustomed to alarms or warnings that they unconsciously tune them out. It’s not a matter of actively ignoring alerts; it’s when a person’s brain gets so tired of reacting to non-actionable inputs that it simply edits them out of existence.

This idea struck me on the 13th when a tsunami of “breaking news” alerts interrupted my Zoom call. The alerts – piling on faster than I could skim – warned that Iran had launched a wave of drones and missiles at Israel, presumably as retaliation for Israel’s strike on Iran consulate in Syria. One BBC alert noted that it would take three or more hours for the strike to arrive, and that left me wondering so … now what?

I know what you’re probably thinking and that’s not where I’m going with this. Bear with me.

Yes, this was breaking news. I like to be kept aware of international events, especially when they might affect my work. I recall thinking that I wasn’t upset with the BBC for pushing their news alerts to my phone; rather, I was surprised at my reaction to them.

First, for context, I’m in Texas. I suppose I could tell my family to take shelter in the basement or clamber up onto the roof with a shotgun to attempt some partisan anti-aircraft defence but that would just waste everyone’s time.^[1] Even if Iran’s missileers were the most incompetent on earth and had accidentally targeted Dallas instead of Tel Aviv, it wouldn’t matter. Iran’s longest range attack drone is believed to have a maximum range of 2,500 km. Dallas is around 11,700 km away so there was no direct threat to my family or community.

Honestly, it would probably be weeks before anyone even noticed a missile strike in 90% of the state.

Second, if Israel counterattacked Iran over the strike that still wouldn’t directly impact me or my family. We’re nowhere near the area and don’t have any relatives, friends, or even business acquaintances in either country.

Now if you’re thinking, “That’s horribly selfish, Keil! Shouldn’t you have empathy for the people subjected to this attack?” you’d be right! I agree. That sort of “who cares about Johnny Foreigner?” attitude is damnably repulsive. Fortunately, I’m not a vile sociopath like some of our most loathsome elected representatives so no such thought crossed my mind.

Instead, my gut reaction on reading the string of alerts was “Right, then. I understand, what’s happening now, but what are you asking me to do with this information, BBC?!” It felt like I was being told that a building is on fire in another city … I was rightfully horrified and I wished that the event wasn’t happening, but … a crucial element of the story was missing.

It’s not like I could spring into action, hop into my super-science rescue rocket and go shoot down those Iranian missiles and drones, a la Thunderbirds Are GO! Similarly, I’m not rich, so I don’t have a politician on my payroll that I could pressure to intervene through diplomatic channels. I may be active on Twitter and have been on television a few times, but I’m absolutely not an influencer; I have zero pull with anyone connected to Israel’s government or Iran’s (unless someone there has been reading my column). ^[2]

That was what bothered me the most about my reaction to the seemingly endless stream of alerts: I couldn’t find a call to action in any of them. That simple “because this, therefore do this” statement that I’ve come to expect from my alerts. I was expecting more from the news agencies than I was getting, and that bothered me.

Dagnabit, what the heck’s going on here?

I had a think about that after reading a few articles. I realized that what I was seeing was the usual “breaking news” alert push: a thing is happening, here’s what we know. There was nothing unusual about how the news was breaking. What was getting to me was my own skewed expectations. The disturbing call was coming from inside the house, so to speak.

I’ve been coaching security professionals for years to always include a call to action in their breaking news articles, social media posts and (most importantly) in their alerts. To never just tell their users that a thing is happening without also telling them what to do with the information. It’s not just an industry best practice; I believe it’s an essential method for pre-emptively mitigating alert fatigue.

As an example, imagine that interrupted right this moment by a pop-up message from your organisation’s security team: “Warning! A new Blurpvert^© vuln has been discovered in France!” You’ve just been “informed” of a threat, but … so what? What are you supposed to do with this new information? Are you going to go search the internet for articles that can explain this new virus? Change how you work to prevent a breach? Run screaming into the carpark? Go full-on Mad Max, turn your necktie into a headband, set your cubicle on fire, and give cannibalism a go? What’s the ask, man?!

If one of my people broadcast an alert like that, I’d channel my inner drill sergeant to maximize the emotional impact of their richly deserved chewing out. We. Do. NOT. Do. That. Bob!

Security alerts are crucial tools for changing user behaviour in a timely fashion. Well … they’re supposed to be. Done right, security alerts tell users that (a) something notable is happening, (b) how they’re affected by it, and – most importantly (c) what they’re supposed to do. That last part is, I feel, the most important element of the communiqué. An alert that doesn’t motivate action is just noise.

When you consider that more than 90% of the information we process each day is useless, it’s hard to treat new messages and alerts as something worth paying attention to.

Consider, then, if our example alert had been properly constructed: “French company XYZ was just breached by a new virus. Our company uses the same vulnerable system – Blurpvert^© – that was compromised in the XYZ breach. Therefore, stop using Blurpvert^© until we tell you it’s safe to do so. Also, report and delete every external email that mentions Blurpvert^© until further notice.”

That alert tells the user that something important is happening, what is happening, what it means to them, and – crucially – what to do about it. The alert must be short, direct, easily understood, and actionable. This sets properly expectations for all personnel and gives supervisors the mental model they need to then monitor and correct hazardous user behaviour. As a positive side effect, it also trains your users to read and act on every “breaking news” alert coming from security.

Looking back on it, I realize that my response to the BBC’s Iran attack message was incorrect. It wasn’t a security alert as such; it was a normal situational awareness input and wasn’t intended to be anything more than that. I was in the wrong for expecting it to be something other than that.

Since I was thinking about alert fatigue, though, I noticed that I quickly stopped perceiving the alert pings from my PC and began to ignore the buzzing from my phone as more news entities began covering the story. It didn’t matter that I wasn’t interested in knowing more about the developing horror; my brain had realized that there was nothing that I needed to do about it, and therefore “silenced” the interruptions so I could concentrate on my Zoom call.

I know it seems a bit weird, but that’s how we’re all wired. If you want your security programme to be effective, take that into account when crafting and deploying your emergency alerts.

^[1] In Texas, the default response to all emergencies is to shoot at something. Doesn’t matter if it’s an army of drones or a pie overbaking: blast it!
^[2] If I’m wrong about that, then knock it off, the both of you!

Risk Management