Open in app

Sign in

Write

Sign in

Asleep at the wheel? The effects of sleep on cybersecurity professionals

Lincoln Kaffenberger
18 min readOct 28, 2020

Executive Summary

Stress and burnout are problems for cybersecurity professionals, but how do sleep habits fit into this picture? This paper reveals discoveries from a recent survey of cybersecurity professionals’ work patterns, stress levels, and sleep habits. The survey shows that cybersecurity professionals sleep less than the clinically recommended amount and that there may be a correlation between sleep and stress levels. The survey also shows participants’ professional and personal habits may be contributing to reduced quality of sleep which may correlate to their stress levels. This paper also provides suggestions into how — based on the survey and recent academic sleep research — professional and personal habits can be adjusted to possibly help reduce stress, improve health, and be a more effective cybersecurity professional.

Background

Full disclosure, I don’t like sleep particularly. I often quip that if I could have a super power, it would be to not need sleep. In the military the slogan was ‘sleep’s a crutch’ and I bought into it. When I talk about my military sleep deprivation stories I tell it like it’s a joke or a funny story because we all assumed sleep was more a luxury that we never had time for — too much work to be done! I suspect the same attitude prevails in the cybersecurity community.

While I don’t like sleep, certain family members feel differently and believe that sleep is not a crutch but rather a necessity (and something they might prefer I get a little more of). So as a Christmas gift I received a book titled “Why We Sleep: Unlocking the Power of Sleep and Dreams” by Matthew Walker PhD. While the book is definitely on the advocacy end of science and has been reported to have “some errors”, I found it a thought provoking read and it inspired me to think about the state of the cybersecurity field and how sleep — or lack thereof — might be affecting it. Both the book and much scientific literature shows a strong correlation between poor sleep quality and or quantity and things such as worse health, poorer memory, higher stress, and many more ills.

There have been a number of posts recently about the state of cybersecurity professionals experiencing high levels of stress and burnout from various studies (SOC burnout on pg14–15, CISO survey pgs10–12 talk stress management, and Cyber Operations Stress Survey to name a few) not to mention big names in the industry such as Richard Bejtlich, Sergio Caltagirone, and Troy Hunt. Stress is certainly a problem and it’s great to see this problem being talked about publicly. One thing I don’t see is anyone talking about the relationship between cybersecurity work, stress, and sleep. There is certainly the risk of a downward spiral within this relationship: say work causes high stress; high stress negatively affects sleep quality and quantity; poor sleep quality and quantity affects ability to do work, which causes increased stress; and so on. Poor sleep quality and quantity can also reduce one’s ability to cope with stress. There is hope though. If one can achieve good or at least sufficient sleep quality and quantity they will be better able both to cope with stress and to do work (which should hopefully reduce work stress).

Given the reports of stress and their connection to sleep, I had a suspicion that cybersecurity professionals didn’t sleep very much. In the few years I’ve been in this community, I’ve seen and heard enough to think that many of the same beliefs about not needing sleep (see DEFCON’s 3–2–1 rule) are shared by many cybersecurity professionals, though I didn’t know for sure. For that reason I decided to create a survey to see what the sleep habits of cybersecurity professionals are and how their sleep might be affecting their stress levels.

Audience and Methodology:

  • Used Google forms to build and deliver the survey and record the responses. (Survey can be found HERE.) Shared the survey via a link that respondents can take.
  • Advertise the survey through direct connections with cybersecurity contacts, posting on social media (LinkedIn and Twitter) and through email to two different cybersecurity information sharing groups.
  • The survey was open to any cybersecurity pros. (Full disclosure: being in CTI, I have an outsized interest in that specific segment of the cybersecurity demographic and given the majority of the people whom I follow and follow me on social media are also in that field, there was a higher than average participation by CTI professionals in the survey.)
  • The survey link remains live for potential future use. The survey responses are as of 13 July, 2020.

Findings from Survey

At the time of this writing, there were 141 responses to the survey. Most respondents were in the private sector and vendors and in their 30s or 40s. 75% of respondents claimed to live in the USA.

Work Habits

The majority worked between 40 to 50 hours a week, though almost 40% reported working more than 50 hours per week.

Over half of respondents reported checking their work email right before they go to bed either ‘often’ or ‘all the time’. Over half the respondents reported ‘working late’ either often or ‘all the time’. When working late, the majority of respondents worked between 2 to 4 hours later than their usual stopping point.

Work Stress

When asked about stress, the majority of respondents rated their work related stress level between a ‘6’ and an ‘8’. The highest rated sources of stress were “High workload”, “Lack of staffing”, and “Lack of budget or resources”. While “Other leaders and managers” was also rated as a high level of stress, interestingly “their boss” was not often a source of stress. In the middle of the stressors: “poor sleep quality/quantity”.

The most commonly noted ways of coping with stress were “Exercise”, “Hobbies”, “Spend time with family”, and “Play video games”. Other ways that may be considered less healthy include “Ignore the stress”, “Self medicate with alcohol”, and “work more hours”.

Almost half the respondents believed that stress was negatively impacting their ability to do their best work. When asked to describe how stress was impacting their work, 13% of respondents stated that stress either had a positive or neutral impact on them, saying things like stress makes them sharp or doesn’t bother them. Most respondents however had negative comments, saying that stress caused them to:

  • Procrastinate on tasks that cause stress
  • Push out poorer quality work
  • Have trouble focusing
  • Impairs memory
  • Causes fatigue
  • Poorer judgement
  • Loss of energy
  • Consider other career options
  • “Keeps me awake”

One respondent summarized their stress level like this: “Let’s put it this way, I need money to survive, and me getting paid is dependent on our organization not getting pwnd. Our security posture is far from ideal, and it will never be in a good place (lack of budget, business doesn’t want to be slowed down by security). The day we’ll get pwned, heads gonna role, chances are that mine will be part of that lot. So I’ll let you guess how stress impacts me.”

Sleep Habits

When asked about their sleep habits, respondents reported sleeping around 6 hours on average with over half of respondents reporting sleeping less than 7 hours a night on weeknights.

When asked about their sleep quality, almost half rated their sleep a 3 out of 5. Respondents also stated that the majority — 60% are able to fall asleep in under 30 minutes while 10% claimed it takes more than an hour to fall asleep. Perhaps the more telling and interesting responses came to the question of how many times do respondents wake up in the middle of the night. Only 15.6% reported sleeping through the night without interruptions and over half of respondents reported waking up two or more times a night. The most common reasons for the sleep interruptions were to use the toilet, environmental factors such as light or noise outside, and to assist a child. Work and work related stress was also often cited among the reasons for waking in the middle of the night. Almost 9% of respondents cited “Work emergency” or “Phone notifications” as reasons and 6.3% cited “Stress”, “Anxiety”, or “Nightmares” as causes. It should be noted, the survey question did not specify a time period that these disruptions occur so it is unclear from the responses how frequently they happen.

Other sleep habit findings include:

  • Most respondents report looking at a screen of some sort within an hour of trying to go to sleep
  • The majority reported checking their work email right before going to bed
  • The majority do not often give themselves time to unwind before going to bed
  • Very few report taking naps during the work week
  • Very few report using sleeping aids such as sleeping pills

Lifestyle questions

There are a handful of common lifestyle factors that affect sleep quality and quantity: caffeine, alcohol, and exercise — especially when these are either consumed or performed close to the time when one tries to go to sleep. Almost 50% of respondents reported consuming more than 2 caffeinated drinks on a week day with about a quarter reporting they consume their last drink after 5pm. As for types of caffeinated drinks, 80% drank coffee, almost 40% tea, and almost 28% and 27% drank energy drinks and soda respectively. (Note — respondents could check multiple, so the percentages will not add up to 100%.)

When asked about alcohol, 45% reported not drinking on week days, almost 37% reported drinking one or two alcoholic beverages on a typical week day, and almost 18% reported consuming 3 or more alcoholic beverages on a typical week day. The majority — 72% — reported the last hour they do so on a work night was between 7 and 10pm while almost 21% reported finishing their alcoholic beverages between 10:30pm and 3am. Beer and wine were the most typically consumed alcohol at 51% and 46% respectively. Liquor was the next most preferred with almost 28% drinking it straight and 27% going for mixed drinks. (Note — respondents could check multiple, so the percentages will not add up to 100%.)

For exercise, the majority of the respondents claimed to work out with only 14% saying they did not work out during the week. 46% reported working out between 1–3 times a week, 36% reported between 4–7 times a week, and 3% reported working out between 8 to 10 times a week. Almost 35% reported working out in the mornings between 5am and 10:30am, almost 14% reported working out mid-day between 11am and 4:30pm, and the majority — almost 52% reported working out between 5 and 11pm. Of those 5–11pm workout respondents most reported working out between 7 to 9pm, representing almost 38% of all respondents.

Beliefs about doing your Best Quality Work

When asked about how much sleep cybersecurity professionals needed to do their jobs well, almost 73% said they need 8 hours or more, 17% said they need 7 hours, 9.9% said 6 hours, and less than 2% say 5 or fewer hours. When asked how little sleep cybersecurity professionals can get regularly and do their work well enough, around 9% said 8 or more hours, 25% said 7 hours, 37% said 6 hours, and 27.6 said 5 or fewer hours.

When asked their opinion about what percentage of cybersecurity professionals are sleep deprived, 48% of respondents thought greater than three-quarters of professionals were sleep deprived. When asked their opinion about what percentage of cybersecurity leaders are sleep deprived, almost 54% of respondents thought greater than three-quarters of leaders were sleep deprived.

When asked about the level of impact that sleep had on their work, the vast majority felt as though there was an impact. To this end, respondents said the following about the effects sleep is having on their work.

  • Felt more fatigued when getting less sleep
  • Memory problems
  • Difficulty concentrating and focusing
  • Lack of creativity
  • Less empathy and emotional intelligence

Note, the specific question was “What effects are your sleep having on your work?”; the question was intended to be neutral yet the majority of the respondents responded to the effect of lack of sleep. Some respondents indicated that they did not need much sleep and did not experience a correlation between their sleep and anything be it good or bad — however, these comments were in the minority.

Analysis

Stress Levels

Given that stress has been shown to be a growing concern for cybersecurity professionals, the analysis started here at the respondents self reported stress levels and tried to see what if any connection existed between stress and other data points within the survey. There was no discernible connection between the self-reported stress levels and the reported hours of sleep nor hours of work. There was however a weak correlation between the stress level and the sleep quality as well as stress and time to fall asleep. As respondents’ stress levels increased — i.e. got worse — their quality of sleep decreased and the time to fall asleep increased

As the above graph shows, while the correlation is clear it is still weak: the difference in sleep quality is between a 3.18 for lower stress group and a 2.82 for the higher stress group; the difference in the average time to fall asleep between the lower stress group and the higher stress group is only 7min. Given the top cited causes for stress (‘high workload’, ‘lack of staffing’ and ‘lack of budget/other resources’) are not ones that can be solved by increased sleep, it appears from this data that lack of sleep or poor sleep may not be a cause of stress. The inverse is not the case though.

Sleep Quality

Upon analyzing the self-reported quality of sleep with other factors, there were several noticeable correlations. First, as the average sleep quality decreased so did the number of hours slept. Inversely, as the average quality of sleep decreased the average hours worked increased. It makes sense that the more hours one works in a week the fewer hours are available for other things in life — such as sleep.

As average reported sleep quality decreased, the time to fall asleep also increased from 15 minutes on average for those with a ‘5’ sleep quality rating to over 60min for those with a ‘1’ sleep quality rating. There was also a clear connection between the quality of sleep and the number of sleep interruptions in a given night with those who reported a ‘5’ sleep quality averaged slightly less than 2 interruptions per night while those with a sleep quality of ‘1’ reported an average of 5 interruptions per night.

Analysis of other sleep hygiene factors revealed similar correlation with sleep quality. As sleep quality decreased, respondents reported:

  • More frequent checking of work email before bed
  • More frequent ‘looking at a screen’ within an hour of going to sleep
  • Less frequently giving themselves 30min or more to ‘unwind’ before bed

Sleep Quantity

Similar correlations existed when analyzing reported quantity of sleep as did quality of sleep. As the average quantity of sleep decreased, the hours worked increased and the average self reported stress rating generally increased though dipped slightly for those reportedly sleeping 5 or less hours a night as seen below. One theory for this is that the high workload for cybersecurity professionals isn’t always ‘deep work’ that requires great focus and attention — sometimes the work is rather mundane and therefore even if a cybersecurity professional is sleep deprived they can often still perform some of these tasks sufficiently enough and reduce their workload thus possibly reducing their stress level.

Those extra hours spent at work may be enough to reduce the stress levels, however they are not resulting in better quality sleep. As the graph below illustrates, as average sleep quantity decreases so does sleep quality with there being an entire point difference between those sleeping 8 or more hours and those sleeping 5 or less hours. As the quantity of sleep decreased the average time to fall asleep increased with there being a 30 minute difference between those sleeping 8 or more hours and those sleeping 5 or less hours.

Beliefs

One of the more interesting findings from the analysis of the survey respondents was about beliefs — specifically the beliefs of the number of hours of sleep needed to do the job well vs the minimum needed to do one’s job well enough. When analyzing these beliefs by professional category, there were some interesting results. Over 80% of CISOs and other leaders claimed that they needed 8+ hours to do their jobs well with less than 10% of them saying that 7 or 6 respectively was all they needed; none believed they could get by with 5 hours or less and do their job well. The minimum hours needed was different — most stated they could get by with 7 or 6 hours of sleep with both getting 36%.

Cyber Threat Intelligence respondents had the highest percentage — 40% — of fields who believed they could get less than 6 hours of sleep and perform their jobs well enough. Responses from other professions in the survey were less — only 20% of CISOs and 11% of Incident Responders believed they could do their jobs well enough on less than 6 hours or sleep.

The CTI beliefs are interesting as the reported effects of sleep deprivation seem to hit most squarely at areas that seem to be core to intelligence work. Multiple scientific studies have shown that poor sleep quality and quantity has direct, negative effects on memory formation, ability to problem solve, creativity, writing and briefing abilities, and ability to recognize and combat bias. With this information, it is quite possible that many CTI professionals’ work is not as good as it could or should be due to the effects of poor sleep quantity and quality.

Recommendations

To get better sleep — i.e. better quality and quantity — there are several recommendations from reputable sources such as the US CDC and the Sleep Foundation. The top recommendation on their respective lists as well as in the ‘Why We Sleep’ book is to keep a consistent sleep rhythm. Wake up at the same time and go to sleep at the same time, even on the weekends. If you could do one thing, sleep scientists agree keeping the same sleep routine is THE best way to improve sleep quality.

Along with routine, review the guides from the CDC and Sleep Foundation for other ways to improve your sleep hygiene. Many in the survey stated that lights and noise woke them up in the middle of the night. By ensuring your bedroom is best suited for sleep, you can ensure you have the best chance to get a good night’s rest.

For those who remain skeptical and don’t believe they need more sleep, I encourage you to test yourself. Conduct an experiment on yourself where you keep a sleep journal (many such examples can be found online) where you track how many hours you sleep, how much and what caffeine and alcohol you consume as well as when you last work out over a two week period. During that period you could take some kind of cognitive test and use the results to compare with your change in sleep. One such test used heavily by sleep scientists is the Psychomotor Vigilance Test (PVT) of which many free versions can be found online. Then increase your sleep quantity to the medically recommended amount for a couple weeks and compare your performance during those periods. If you find marked improvements that may suggest you would do well to get more sleep.

And lastly, if you want to get better sleep, you should do what you can to just get more sleep. There’s a good chance that over time you will see the quality increase as well. As this survey showed with cybersecurity professionals, when it comes to sleep, quantity is quality.

Future work

CTI analysts sleeping their way to better analysis — Given the findings both from this survey and other sleep research on the cognitive impacts of sleep deprivation, it is my belief that there needs to be more study on the impacts of sleep deprivation on CTI professionals in particular. Specifically, testing the degree to which sleep affects a CTI analysts’ memory, their problem solving abilities, their ability to make connections between disparate data points, their creativity — which is crucial for envisioning potential future threat scenarios when making predictions, and finally the effects of sleep on CTI analysts’ ability to recognize and combat cognitive bias and analytic fallacies. Ideally, tests could be created such that analysts could use gamification (something similar to say Lumosity or other brain games) that is specific to CTI and pair it with a sleep tracker so analysts could see for themselves how their performance is affected by their sleep quality and quantity.

Other future work includes working with teams and organizations to consider organizational level change to improve their people’s sleep:

Alter team work routine to promote team sleep routines — There are several situations in which cybersecurity professionals may have to endure long hours that interrupt their normal sleep routine such as calls at odd hours with someone on the other side of the world. To the extent possible, these events ought to be either avoided or shifted to be emails or internal blogs/Teams discussions instead of meetings; it may have the unintended yet welcomed side effect of increasing productivity as well.

Plan for Rotations — Responding to incidents at odd or late hours takes a toll on sleep quality. Organizations would do well to anticipate this and have a rotation plan to ensure those responding to incidents are able to rotate and stay fresh and to minimize pulling people out of bed.

Cyber ‘Crew Rest’ — To that end, organizations could consider ways to assess how to determine how awake or sleepy a given staff member is and use this as a way to see if they are ‘fit for duty’. This would be similar to the idea of ‘crew rest’ for pilots where they are given a mandatory rest time between flights — ostensibly for sleep.

Incentivize Good Sleep — Additionally, few organizations reward their people for getting good sleep, rather they praise (and promote) those who ‘burn the candle at both ends’ to work. Promoting well-being programs designed to help staff sleep better and incentivize good sleep habits can certainly help all your people, including your cybersecurity professionals.

Resources

Survey Information

Survey can be found HERE.

Results as of DATE: 13 July 2020

Sleep
Cybersecurity
Cyber Threat Intelligence
Stress
Work

--

--

Lincoln Kaffenberger

Written by Lincoln Kaffenberger

2 Followers

Cyber Threat Intelligence professional

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams