Q002 — Barriers to Security Scanning: Complexity Over Fatigue — Assessment¶
Contents¶
The primary barriers are complexity/awareness, false positive rates, and maintenance burden. Evidence for 'security fatigue' as a temporal pattern is suggestive but not directly demonstrated. The pattern of persistent vulnerable consumption is better characterized as structural friction than episodic fatigue.
Evidence Synthesis¶
Evidence quality: Medium — Academic study on maintainer barriers (mixed-methods, peer-reviewed) provides strong evidence. False positive data comes from vendor sources with commercial bias. No longitudinal time-series data on security tool adoption/abandonment was found.
Source agreement: High — Sources converge on three primary barriers: (1) awareness and complexity, (2) false positive rates (68-91%), (3) lack of automation. Behavioral evidence (13% vulnerable Log4j downloads 3 years post-disclosure) is consistent with security fatigue.
Independence: The academic study (arxiv 2409.07669v2) and the Sonatype data are independent sources converging on similar findings. False positive rate data comes from multiple vendors (Ghost Security, NIST, Veracode, OX Security) with different methodologies.
Probability Assessment¶
Confidence: Medium
Evidence Gaps¶
Expected but not found: - Time-series data showing security tool adoption rates before and after Log4Shell (or similar incidents). - Longitudinal study tracking CI workflow changes (tools added then removed) over time. - Dependabot alert dismissal rates across GitHub.
Unanswered questions: - Is there empirical evidence for post-incident adoption surges that reverse over time? - What is the rate of security tool removal from CI configurations after initial adoption? - What fraction of Dependabot alerts are dismissed without action?
Impact on confidence: The lack of direct time-series data means the 'security fatigue' concept cannot be confirmed or denied. The barriers identified are well-supported but the temporal dynamics of adoption and abandonment remain unstudied.