Stress and mental health challenges among cybersecurity professionals


Cybersecurity professionals work in a constantly changing adversarial threat landscape and often must adhere to ever-changing industry mandates, a work environment akin to a war zone.

Stress and mental health are of utmost importance in cybersecurity because cybersecurity professionals manage and respond to threats in a constantly changing adversarial environment.

There are several stressful aspects of cybersecurity careers because cybersecurity professionals are often the first responders to cyber events, such as breaches or alerts of suspicious activity within their firms. Therefore, they must maintain a level of vigilance that is often unmatched among other organizational employees, all while feeling underappreciated for their efforts.

What is stress?

Stress is any condition that causes an individual to have a generalized psychophysiological response that deviates from a state of equilibrium. Stress is the internal state or condition of experiencing strain or extreme pressure from external demands. It occurs when an individual experiences a reduction of mental capacity because of conflicting goals, desires, or limitations in the cognitive resource.

Job stress is “a feeling of a person who is required to deviate from normal or self-desired functioning in the workplace as the result of opportunities, constraints, or demands relating to the potentially important work-related outcomes.” Job stress results when work demands and pressures do not match an individual’s abilities and knowledge, so their ability to cope is affected.

Causes of stress for cybersecurity professionals

Communication problems with management, high workload, challenges with the dynamic nature of technology, organizational technology initiatives (e.g., moving applications to the cloud, deploying IoT, etc.), and a frequent lack of security oversight for new IS projects all contribute to a high level of stress in the life of a cybersecurity professional. Stress also arises;

  • When security requirements increase the workload for employees and create added time pressure to meet these requirements.
  • Where security requirements are perceived as complex, forcing employees to spend more time and effort learning and understanding security.
  • Where organizations continually update job-related security requirements.
  • The invasion of employee privacy focuses on behavioral monitoring and tracking employees’ information security behavior.
  • When workplace instructions of supervisors or peers are not in line with established information security requirements, conflict arises.
  • Stress is caused by news related to security, such as security breaches, misuse of sensitive data, and persuasive communication, such as fear appeals.
  • When an individual’s privacy is breached because their use of ICTs can be monitored for information security purposes.
  • Perception of work overload caused by the organization’s security activities.

Effects of extreme stress

Stress, burnout, and security fatigue continue as slight destroyers of strong cybersecurity and significant human factors concerns. The persistence of these human performance issues is concerning, given the lack of mitigation and integration of human factors practitioners to mitigate these adverse risk circumstances. Under highly stressful events, cybersecurity professionals can have poor security-related decision quality, narrower attention, and poorer working memory.

Stress symptoms may take days or weeks to manifest for some people. A few stress responses include:

  • Shock and disbelief
  • Sadness, frustration, helplessness, and numbness
  • Fear and anxiety about the future
  • Anger, tension, and irritability
  • Difficulty concentrating and making decisions
  • Loss of interest in routine activities
  • Loss of appetite (No desire for food)
  • Wanting to be alone
  • Too much or too little sleep
  • Nightmares or unpleasant memories
  • Recurrent thoughts about the incident
  • Headaches, backaches, and stomach issues
  • Increased smoking, drinking, or drug use
  • Increased heart rate and breathing difficulties

Stress without any relief can lead to a condition called distress-a adverse stress reaction which disturbs the balance or equilibrium of the body, leading to physical symptoms such as headaches and upset stomach, elevated blood pressure, chest pain, sexual dysfunction, and problems in sleeping, emotional issues include depression, anxiety, and panic attack. Stress is linked to the leading causes of death. A few problems are associated with stress disorders, such as heart disease, cancer, lung ailments, obesity, diabetes, depression and anxiety, and Alzheimer’s disease.

How to ensure mental health for cybersecurity professionals

Exploring the stress phenomenon among cybersecurity professionals presents several research opportunities at the intersection of industry mandates, security controls, organizations, and people.

Unfortunately, business decision-makers lack the expertise to explore the negative influences of stress, burnout, and security fatigue on cybersecurity. Currently, there is a human factors knowledge gap in cybersecurity; as a result, human factors practitioners are not deemed critical stakeholders in cybersecurity. This critical omission prevents organizations from leveraging the expertise of human factors. As a result, business organizations struggle with persistent threats and vulnerabilities in cybersecurity while human performance issues continue to mount.

  • Partnering with experts: Organizations should collaborate with experts in the field of human factors to address the high friction areas that hinder cybersecurity performance. Practitioners of human factors can offer expertise in comprehending the technological implications and the adverse effects of advancing technology on workers, particularly the rise of cybersecurity.
  • Implementing a human factors program: For companies with extensive and intricate cybersecurity programs, it is prudent to implement a cybersecurity human factors program and collaborate with human factors specialists. A human factors program in cybersecurity could enhance key elements like security awareness and training to prevent security fatigue, benefiting non-technical staff and professionals in information security and cybersecurity. Implementing a human factors program can reduce the high friction areas that lead to cybersecurity incidents—like decreased human performance.
  • Practicing human-centered cybersecurity: People find it challenging to manage and understand the systems within the system as cybersecurity complexity continues to rise. To guarantee that people are a central pillar when developing systems, it is imperative to use a human-centered (design thinking) cybersecurity approach. Human factors are considered when designing human interfaces for computing systems using the common practice of “human-centered design.”
  • Establishing anti-fatiguing programs: Business decision-makers must give the decline in human performance in cybersecurity their undivided attention. Although I only touched on stress, burnout, and security fatigue, many other human performance issues in cybersecurity go unaddressed and are actively pursued by cybercriminals. The time has come for the cybersecurity industry to take human factors seriously after other sociotechnical sectors have addressed issues with human performance. One way to address the decline in human performance is to implement an anti-fatiguing initiative, particularly by investigating the causes of stress, burnout, and fatigue and incorporating preventative measures.