Back to Blog
Minute Read

Crying wolf – the challenge of alert fatigue

Alex Lee

When individuals are exposed to recurring warning messages about an event which then does not happen, like in the fable, The Boy Who Cried Wolf, people become immune to hearing the warnings. The story reveals how the villagers tune out the boy’s warning cries and become desensitized to all danger, thereby endangering themselves even more.

In this article

Despite companies investing more and more money in security to prevent insider threats, incidents are still rising at an alarming rate. According to CISO magazine,  “A recent survey report “2020 Cost of Insider Threats: Global Report” from the Ponemon Institute revealed that insider threats increased by 47% from 2018 to 2020. It also revealed that the cost of insider threat incidents also surged by 31% from $8.76 million in 2018 to $11.45 million in 2020.”  And worse, security teams are having a hard time keeping up due to the high volume of benign alerts. These alerts require investigation and analysis, resulting in extended investigations without any conclusive resolutions. Over time, alert fatigue sets in. This is one of the conditions that makes being a Tier 1 analyst tedious. No one wants to investigate alerts that just waste their time and don’t provide a sense of accomplishment.


The current approach to data leak prevention is typically a combination of DLP and UEBA alerts being fed into machine learning algorithms to create a baseline of ‘normal’ activities.  Any deviations to that ‘normal’ are logged as anomalies. This approach is great if your goal is to spend time investigating anomalous events.

Like crying wolf, the volume of false alerts rob any truly critical alerts of the importance they deserve. Desensitization leads to longer response times, missing important alerts and ultimately to sensitive data leaks.


In the 2002 American science fiction action film, Minority Report, a specialized police department apprehends criminals based on foreknowledge provided by psychics called “precogs” to prevent crimes before they happen.

The ability to stop data leaks before they happen? Now that would be great!

At Cyberhaven we are not claiming to be able to predict data leaks before they happen, yet there are behaviors that lead to a higher probability of data leaks. These are the behaviors that when monitored will help security teams hone in on the high-value data leaks that are most costly.

Cyberhaven’s Data Behavior Analytics (DaBA) product discovers, monitors and protects all your high-value data across enterprise and SaaS applications, and continuously educates your users to follow security policies and best practices. We reveal risk with contextual visibility to all data movement with 100% accuracy.

  • Real time monitoring of all data without the need for manual identification
  • Accurate alerting for rapid response
  • Full context event timelines with actionable intelligence for rapid remediation.

We won’t cry wolf. By focusing on your valuable data, Cyberhaven will let you know each time the wolf is in town.

At one customer, Motorola, the impact was not only identifying insiders that had eluded other tools like DLP, but an eventual reduction in the number of staff required to chase down alerts from 3-1. With more accurate alerts, the team was able to increase productivity and focus on more valuable activities. You can read about how Motorola combated insider threats in our case study.

Or even better, see how Cyberhaven can help your security team focus on your high-value data and reduce alert fatigue with a free risk assessment.