Curing Security Fatigue
I recently tried to log into an account, but I wasn’t able to because my password or my username was incorrect. I tried to reset both of them. It didn’t work. After a few more tries and some frustration, I gave up. It’s a phenomena that happens every single day, and it’s causing poor cybersecurity. It’s called “security fatigue,” and it exposes online users to risk and costs businesses money in lost customers.
A recent study from the National Institute of Standards and Technology (NIST) found that a majority of the typical computer users who were interviewed experienced security fatigue that often leads users to risky computing behavior at work and in their personal lives.
Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security: “I don’t pay any attention to those things anymore… People get weary from being bombarded by ‘watch out for this or watch out for that.’”
“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” says cognitive psychologist and co-author Brian Stanton. “It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet. If people can’t use security, they are not going to, and then we and our nation won’t be secure,” Stanton says.
The study draws on data from a qualitative study on computer users’ perception and beliefs about cybersecurity and online privacy. The subjects ranged in age from their 20s to their 60s; were from urban, suburban and rural areas; and held a variety of jobs. The interviews focused on the subjects’ work and home computer use, specifically about online activity, including shopping and banking, computer security, security terminology and security icons and tools.
“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” computer scientist and co-author Mary Theofanos says.
“Years ago, you had one password to keep up with at work,” she says. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”
The multidisciplinary team learned that the majority of their average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.
When asked to make more computer security decisions than they are able to manage, they experience decision fatigue, which leads to security fatigue, the study notes. Researchers also found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively and failing to follow security rules.
According to the study, comments among those who expressed feelings of security fatigue included:
• “I get tired of remembering my username and passwords.”
• “I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.”
• “It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.”
Participants also wonder why they would be targeted in a cyberattack. The data showed that many interviewees did not feel important enough for anyone to want to take their information, nor did they know anyone who had ever been hacked. Commenters also expressed the sentiment that safeguarding data is someone else’s responsibility, leaving computer security up to their bank, online store or someone with more experience. Individuals also questioned how they could effectively protect their data when large organizations frequently fall victim to cyberattacks.
The data provided evidence for three ways to ease security fatigue and help users maintain secure online habits and behavior. They are:
1. Limit the number of security decisions users need to make;
2. Make it simple for users to choose the right security action; and
3. Design for consistent decision making whenever possible.
What are you doing in your enterprise to combat security fatigue? I’d like to know. Email me at firstname.lastname@example.org