Cybersecurity and marijuana

Marijuana is becoming more accepted. Will cybersecurity employers play along? – asked Cybersecurity Drive recently.

Five hundred respondents in the 1Password recent survey were security professionals in IT departments as managers or higher, and the remaining 2,000 respondents were from other departments in their respective companies. The results of this survey show that the majority of security professionals (84%) are feeling burned out, which contributes to a decline in initiative and motivation, reducing compliance with cybersecurity protocols.

The survey participants stressed out that security rules and protocols are not “worth the hassle”, which leads them to perform the “bare minimum” of their job. Moreover, the pandemic was a catalyst for many resignations in the technology and cybersecurity industries, enhancing the already existing skills gap.

The (ISC)² Cybersecurity Workforce Study found that the global cybersecurity personnel grew to 4.2 million professionals in 2021, which represents a 20% increase from 2020. However, despite the increase in the workforce, the majority of respondents (60%) in this report stated that their organisations face risks directly related to skills shortages.

Alert fatigue

Looking from the cybersecurity professionals’ viewpoint, burnout can also lead to alert fatigue and internal apathy. According to a survey from IDC, more than one-third of IT security managers and security analysts ignore threat alerts when the queue is full.

Evidently, cybersecurity professionals will need the assistance of the entire workforce to maintain the organisation’s cybersecurity posture. At the end of the day, everybody should play role in the organisational cybersecurity culture and resilience. However, end-users also suffer alert fatigue, also known as ‘cybersecurity fatigue’.

Cybersecurity fatigue manifests itself in much the same way in what psychologists call ‘decision fatigue’ or ‘ego depletion. It drains our mental energy making us less resistant to real dangers and lures us to do things without real consideration for consequences.

Recent studies found that many end users have reached the saturation point, which desensitised them to cybersecurity. Being bombarded with numerous cybersecurity messages, advice and demands for compliance, users lose interest to listen and comply.

As such users tend to avoid these directives and, to regain control, behave irrationally by adopting a ‘head in the sand’ approach, embracing a carefree online attitude driven by impulse and immediate gratification.  The usual motivation behind this behaviour is the perception that much of the shocking impact of cyber-attacks is due mainly to the bellicose headlines that often report on these stories.

It is needless to say that this ‘bury head in the sand’ approach of end-users and the alert fatigue of cybersecurity professionals are the most damaging to organisations. This behaviour can, for example, result in stolen identities, which can often end up in stolen money or reputation.

Refusing to enhance cybersecurity because people loathe the added security pathways can cost businesses revenue and lose customers. Not securing access to a company’s data can cost organisations millions.

Cybersecurity fatigue and marijuana

Approval of recreational marijuana has been on the rise for the last decade in many countries. South Africa endorsed this practice in September 2018, when a landmark decision by the Constitutional Court in South Africa legalised certain acts concerning cannabis. In particular, the court ruled that the private cultivation, possession and use of cannabis by an adult for personal use should no longer be a criminal offence.

So, what marijuana has to do with(in) cybersecurity?

Will alert fatigued cybersecurity professionals and end-users reach for marijuana to calm distressed nerves? The hacker and security communities will certainly not deviate too far from the norm, suggest a recent article in the Cybersecurity Drive.

How would then companies behave in this era of the severe shortage of cybersecurity professionals?

For now, it is certain that companies in marijuana-friendly states are moving away from zero-tolerance drug policies and focusing on behaviour analysis based on performance or safety reviews, reported HR Dive.

Candidates that apply to cybersecurity positions can be well-qualified but their marijuana use may (or may not) be of concern when considering the suitability or fitness of the individual for the position. The major concern, however, would be if these candidates or the existing employees use marijuana to fight fatigue but, at the same time, make themselves less resistant to real dangers and lure them to do things without real consideration for consequences?

Will eligibility for access to classified information or employment in a sensitive national or organisational cybersecurity position be explicitly controlled by the marijuana-use related regulations and laws?  Or will the “fine print” in the appointment documentation discourage active use of marijuana?

What about cybersecurity professionals and end-users eligible for the medical use of marijuana?

All of these questions are asked in the context of possible severe human mistakes caused by alert fatigue or by suppressing this kind of fatigue by possible using marijuana.

The average human makes 35,000 decisions every single day. On a weekday, the majority of these decisions are those made at work: decisions around things like data sharing, clicking a link in an email, entering the password credentials into a website.

Breaking the rules, making a mistake or being tricked can lead to serious security incidents for a business. These mistakes are not only made by end-users but also by savvy but fatigued cybersecurity professionals.

However, it seems that currently, the professional hackers and cybersecurity workforce are no different than other professionals in regards to the cannabis culture. There are clichés and stereotypes that follow security professionals, but it does not distract from the trust their employers have in them.

We, unfortunately, do not have answers to the above questions. However, we do believe that these questions are important and deserve multidisciplinary answers. Technologists, managers, psychologists, sociologists, lawyers and philosophers – to mention some – are invited to offer answers to these questions.

However, all the above does not necessarily mean that we are against the reasonable or necessary use of marijuana. We are only concerned about the cybersecurity of our organisations and the country, hence hoping that the above questions will eventually be answered satisfactorily.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s