Stay in touch

This field is for validation purposes and should be left unchanged.
Choose newsletter(s) you'd like to sign up to:

Coping with cyber insecurity

Binding Edge

Cybersecurity professionals must accept the things they cannot change

Energetic,Hamster,Running,In,Wheel,For,Fitness,And,Playful,Activity

Photo: Natasha Zakharova / Shutterstock

Jelle van Haaster
09 April 2026

In one survey of 408 chief information security officers, every single one reported their security team’s job as stressful, with 36% reporting ‘tremendous’ stress levels. In another survey of 302 cybersecurity professionals, half reported that their job keeps them up at night, while 46% of 16,029 people working in cybersecurity in a 2025 study reported feelings of exhaustion. The most common stressors originated in cyber insecurity: staying ahead of threats, securing networks and endpoints, and worrying about potential cyber incidents. 

These reported stressors and responses are what psychologists Richard S. Lazarus and Susan Folkman term problem-focused coping, efforts directed at changing the stressor itself. In some cases, this might be enough. 

However, cybersecurity professionals work in an environment of structural insecurity. If the stressor is immutable, problem-focused coping becomes less effective. In such cases, coping must also include, per Lazarus and Folkman, ‘minimizing, avoiding, tolerating, and accepting’ the condition. To create tolerable conditions for themselves, cybersecurity professionals must acknowledge the permanence of cyber insecurity and develop a deliberate relationship with it.

Cyber insecurity is unavoidable

Motive, capability, and opportunity to spy, steal, and disrupt are present in cyberspace as they are in the physical domain. An estimated 600 state and non-state advanced persistent threats have been active in the past decade, along with multitudes of less advanced and less persistent actors. Cyber capabilities are increasingly commoditised, from ransomware affiliate programmes to agentic generative AI automating large portions of espionage campaigns. Beyond motive and capability, the scale and pace of software development create effectively unlimited opportunity.

Software is imperfect, or, more precisely, human imperfection is reflected in our software. More than 180 million developers build on GitHub, contributing nearly one billion public commits – edits and updates to code – in 2025 and billions more to private projects. One billion commits per year is roughly 2.7 million commits per day. At a conservative estimate of fifty lines per commit, that is around 135 million lines of new or modified code per day, on just the public areas of one platform. 

Among these thousands of lines of code, only a small proportion contain defects. Of these, only a fraction carry security implications, and fewer still are remotely exploitable. Because of the sheer amount of code we produce daily, however, this results in large quantities of potentially impactful defects. On GitHub alone, an estimated 7 to 50 remotely exploitable vulnerabilities are introduced each day, according to independent analyses of the CISA Known Exploited Vulnerabilities catalogue by the author and S2W

And this only concerns newly written code. It excludes the hundreds of billions of lines already in production: legacy systems, unmaintained libraries, and software embedded in smart systems. This structural dynamic, combined with persistent motive and expanding capability, results in a permanent state of cyber insecurity. 

Coping patterns in cybersecurity

Cybersecurity professionals have a range of responses to the stress of cyber insecurity. Coping theory provides a framework for categorising these responses, with three recurring patterns particularly visible in cybersecurity practice.

  1. Disengagement

In coping theory, disengagement is withdrawal from a stressor appraised as uncontrollable. Disengagement reduces immediate cognitive and emotional load: vigilance decreases, responsibility is psychologically distanced, and the demand for action is lowered. In the short term, this makes the situation more manageable. Over time, however, reduced engagement means fewer attempts to intervene, and therefore fewer situations in which action leads to improvement. This reinforces the perception that effort is ineffective and, over time, that further action is unlikely to make a difference.

Disengagement is a self-preserving but ultimately fatalistic reflex among cybersecurity professionals. It often emerges from sustained exposure to problems that cannot be fully resolved, or from a lack of time, talent, and tools to address them effectively. In the context described above, where professionals report exhaustion and disrupted sleep, disengagement can be understood as a way to reduce continued psychological strain. The problem is reframed as outside the practitioner’s control, making further effort appear unnecessary. 

In practice, this can take many forms, including accepting (recurring) vulnerabilities as unfixable, doing only what is minimally required, or no longer escalating known security weaknesses after repeated reporting fails to produce change.

  1. Rigid problem-focused coping

The opposite impulse is the conviction that cyber insecurity can be controlled, for instance through the rigid application of frameworks and procedures (such as ISO 27001, the NIST Cybersecurity Framework, risk registers, and maturity models). These frameworks provide structure, coordination, and a shared language for managing risk and offer a sense of control. Over time, rigid adherence to them can become a proxy for control: if the framework is complete, the organisation is assumed to be secure, even when underlying vulnerabilities persist.

This is the dominant response within the cybersecurity profession. Practitioners are expected to stay ahead of threats, prevent incidents, and maintain control over inherently unstable systems. 

This approach is effective where aspects of the stressor are controllable – for instance, in patching known vulnerabilities. These actions reduce risk and, consequently, stress. But cyber insecurity is structural and cannot be resolved through cumulative effort. Breaches will still occur despite sustained work, creating a persistent mismatch between effort and outcome.

This mismatch helps explain why increasing effort – putting in more work hours, implementing new tools, or training additional personnel – does not resolve insecurity as a structural condition. These measures can reduce specific risks and sometimes alleviate strain locally. At the same time, they introduce new demands in the form of implementation effort, coordination overhead, and maintenance responsibilities. Professionals therefore continue to invest heavily in preventing incidents that cannot be fully prevented, which helps explain the high levels of exhaustion and overwork observed in the field.

  1. A more sustainable approach: combined coping

The most sustainable response to structural insecurity combines problem-focused action where change is possible with acceptance and preparation where it is not. Coping research suggests that effective coping requires altering what can be altered and regulating one’s response to what cannot.

In cybersecurity, this means accepting that failure cannot be fully prevented. Vulnerabilities will be introduced, users will make mistakes, dependencies will fail, and attackers will occasionally succeed. 

At the same time, defensive posture is continuously improved through concrete action: patching exploited vulnerabilities, hardening recurring weaknesses, and iterating based on evidence. Effort must be directed toward interventions that demonstrably reduce risk, rather than toward activities that primarily create a sense of control.

This reduces the mismatch between effort and outcome described above. Incidents are expected rather than experienced as failure, and response and recovery become part of normal operations rather than exceptional events. Small risk reductions still accumulate, but they are not expected to eliminate insecurity. 

The strength of combined coping is sustainability. It maintains effectiveness without the expectation that insecurity can be fully resolved, reducing the strain of persistent effort. 

Its risk is imbalance. Acceptance without action drifts toward disengagement. Action without acceptance drifts toward rigid control. In this sense, cybersecurity is not the management of a solvable problem, but the continuous engagement with an unsolvable one. The practitioners who sustain effectiveness over time are those who align their efforts with this reality, rather than working against it.

Read more

APTSCYBERSECURITY

Related Posts

Close up of rack network switch with indication light bokeh and notepad with generic ip address written on it
LAW AND POLICYCYBERSECURITYGEOPOLITICS AND STRATEGY

‘Neutral’ internet governance enables sanctions evasion

Lawrence Stowe|

21 October 2025

CYBERSECURITYAPTSLAW AND POLICY

Microsoft’s recent cloud security breach draws attention to new national security risks

Kamil Bojarski|Max van der Horst|

19 July 2024

Egriselda Aracely González López (centre of photo), Permanent Representative of El Salvador to the United Nations, addresses the informal meeting of the General Assembly plenary on the implementation of the Global Compact on Safe, Orderly and Regular Migration. At right is Deputy Secretary-General Amina Mohammed.
CYBERSECURITYCYBER DIPLOMACYHUMAN RIGHTS

From launch to delivery, the UN’s new cybersecurity mechanism faces old divides

Christina Rupp|

24 April 2026

Edward Lear, Mount Olympus from Larissa, Thessaly, Greece, 1850-1855. Image: Metropolitan Museum of Art
CYBERSECURITYAIUSA

Hooked! #13: Claude Mythmaking Preview

Katharine Khamhaengwong|

16 April 2026

CYBERSECURITYRANSOMWARETHREAT INTELLIGENCE

Policy failure leaves Europe’s research ecosystem exposed to cybersecurity risks

Vincent Tadday|

2 April 2026