I have Google Alerts configured to send me virtually all articles published about breaches, vulnerabilities, leaks, etc. Each time a security event takes place, I get anywhere between five and thirty articles that range in different levels of detail, research, and sensibility. They almost always have a common outline – the world is ending, someone is at fault, and there is nothing that anyone can do about it. New vulnerabilities are accompanied with a name, logo, its own website, a theme song, and a clothing line.
While information security needs as much awareness as it can get across all user spaces, a problem arises when it only comes dressed as a heavy metal rock ballad with the volume knob set to maximum, and set to repeat. Eventually, our ears adapt to the noise and our brains start to tune it all out. The industry calls this effect “breach fatigue”, and it is very apparent when considering the fact that both Target and Home Depot experienced record sales shortly after their historic security events.
Don’t get me wrong, I fully understand that reporters and journalists have the responsibility to cover stories in a way that will increase readership or viewership, whether they have a functioning understanding of the topic or not.
I have laid out the problem, but what irritates me even more than the headaches I get from some from these titles is the fact that I can’t think of a single viable solution, aside from an overwhelming demand from John (and Jane) Q. Public for the media to produce stories of higher quality. Since people seem to get all their information from Facebook, article titles, and the first page of Google, the expectation that they will come together and levy increased requirements against media outlets for topics that they already do not understand or care about is slim.
If you have any recommendations or comments, please feel free to send them my direction.
Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at firstname.lastname@example.org and on Twitter at @SteveHigdon.