Today, lets talk about "Analyst Fatigue".
Analyst Fatigue is a term to describe a bias which begins to set in after a long period in a type of job where you receive many escalations to triage.
Issue: "Complete compromise of search homepage."
Now imagine you're an analyst doing triage and you get the following report in:
Description: "Step 1) Call a friend Step 2) Add your own phone number to the call Step 3) You can listen in on the call"
As a fatigued triage analyst, I can EASILY see how someone would mis-read and mis-escalate that.
*files as false positive / poor report*
This is an easy mistake for a triage analyst to make. Now - I keep using the words "Triage Analyst". Why?
So this job must be done by more junior level engineers.
Junior level engineers as the first level of triage, becoming fatigued from too many false positives, and missing a real escalation.
This is a problem endemic in Security. Not just PSIRTs, but Detection & Response too. Also called "Alert Fatigue".
WRONG. Senior engineers would quit that job so fast their chairs would follow the cavitation vacuum out the door with them.
So anyway what I'm saying is, this is a MUCH harder problem to solve than a simple glance at this mis-escalation can give the full picture of.