We security management types would like to think that every task we give our minions is exciting and engaging. However, there are lots of security tasks which can be, well, boring. The best example of this is reviewing logs for anomalies. Fortunately, more and more shops are using artificial intelligence to winnow down the amount of data the poor analyst has to review. But sometimes, we have give our staff boring things to do.
In some ways, the boring tasks are a rite of passage for more junior analysts. In return for slogging through the logs, we tell them that as they increase their skills, we’ll inflict this particular torture on the new guy or gal who follows them. It is important to follow through on such promises; failing to do so leads to bored analysts leaving for more interesting jobs.
Let’s face it – boredom is, well, boring.
But is boredom ALL bad?
Not according to an article titled Why boredom might not be a bad thing after all, published in the Academy of Management Discoveries journal.
In addition to providing an interesting overview on the boredom research done to date, the researchers described a series of experiments they performed to see whether boredom’s effects were all negative. Their findings were surprising:
Boredom can lead to creativity – for some people. The researchers found that people who were judged to have a high level of openness to new experiences, a need for cognition and a high level of self direction actually generated more numerous and more unique ideas when they were asked to brainstorm after performing a boring task.
Boredom is not necessarily associated with higher levels of anger or frustration. When two groups were given similar tasks with different levels of boredom, there was not much of a difference in their self reported emotional state.
This second point seems to conflict with earlier studies mentioned by the authors in which boredom can be seen as a security risk – these studies have shown that boredom can be a factor in thrill-seeking and risk-taking behaviors, violence, theft and that individuals who reported frequently feeling bored at work were much more likely to engage in sabotage. For example…
So how can we use this information as security professionals?
First, if we are going to ask our analysts to perform some less than thrilling task, consider interspersing tasks which are more creative and need them to think of new solutions to problems. You may find that they will produce more and better results when coming off a log review session or finishing analyzing strings in a piece of malware.
Second, think about how boredom in your non security people can affect security. In many cases, security problems start with mistakes – and mistakes can be provoked by boredom and distraction (at least according to this 2017 poll of users). Look around your workplace for the people with repetitive, potentially boring jobs. Maybe target them for some additional awareness messages or even talk to management about how their jobs are designed and how that could affect organizational security.
Hopefully, this piece has made you think about boredom in a more interesting way. If not, well, use your resulting boredom to come up with some kickass ideas!