‘Security fatigue’ leading computer users to more or less just give up


Do you use the same password for multiple sites?

Do your eyes glaze over after sites like LinkedIn or Yahoo get massively hacked and, like clockwork, the security wonks come wagging their fingers at you for reusing your passwords?

Do you shrug and say “Hey, it’s not my job to keep those sites from getting turned upside down and shaken by their ankles until all the data tumbles out – it’s theirs!

If any of that rings a bell, you’re not alone.

Either you need to take a nap, and/or the people who write security warnings need to figure out how to make it all simpler for users, because many of us are suffering from a common malady called security fatigue.

That’s what it’s called in a new study from the National Institute of Standards and Technology (NIST) on what makes computer users feel hopeless and act recklessly.

The study defines security fatigue as “a weariness or reluctance to deal with computer security.”

One of the study research subjects put it this way:

I don’t pay any attention to those things anymore… People get weary from being bombarded by ‘watch out for this or watch out for that.’

Brian Stanton, one of the study’s co-authors and a cognitive psychologist:

The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life.

It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.

If people can’t use security, they are not going to, and then we and our nation won’t be secure.

The study was published this week in IEEE’s IT Professional. It surveyed subjects ranging in age from their 20s to their 60s who come from a diverse mix of suburban and rural areas and who hold a variety of jobs.

The researchers focused on people’s work and home computer use, specifically about online activity, including shopping and banking, computer security, security terminology, and security icons and tools.

Another of the study’s co-authors, computer scientist Mary Theofanos, said the researchers didn’t even have security fatigue in their sights when they set out to do the study. It just oozed out of all those fed-up people, she said:

We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data.

Years ago, you had one password to keep up with at work.

Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.

Indeed. Here’s what it’s done to one study participant quoted by NIST:

I get tired of remembering my username and passwords.

Right about now is when security people will say, “Well, you shouldn’t have to remember your passwords – whether it’s 10 of them or 100! That’s what password managers are for: they’re applications that remember your passwords for you!”

Another study subject:

I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.

Security wonk line: “Password managers can store secure notes, too, so you don’t have to remember PINs, either!”

All you have to do is install a password manager on your mobile devices and desktop. Then when you want to get at, say, your bank’s site to do a little banking from your phone, you just have to start the password manager by pecking at your phone’s teensy tinsy keyboard to input your one very, very strong master password (which, OK, yes, you do have to come up with [here’s how!] and yes, you do have to remember that one), search for the bank’s URL in your password manager’s vault, launch it, then… um… watch as it gives you an error message and fails to log you in, so you launch the bank’s app separately, switch back to your password manager, copy the password, switch back again to the bank app, paste in the bank site password, and presto!

Another slice of your life has dribbled away for the cause of cyber security.

“Umm… NO!!!,” much of the world says to all that, including this tired lab rat:

It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.

The multidisciplinary research team found that the majority of average computer users “felt overwhelmed and bombarded,” got fed up with being on constant alert, having to adopt safe behavior, and trying to understand the nuances of online security issues.

Too many security decisions than they can manage leads to decision fatigue, which leads to security fatigue, which leads to feelings of resignation and loss of control, which in turn lead to just avoiding those decisions entirely.

What fills in that gap: very bad choices – including, for example, using the same password multiple times – impulsive behavior, and ignoring security rules.

Some of the other notions that feed into security fatigue:

  • Why would a cyberattacker target me? I’m not important enough for anyone to want my information, and I don’t know anyone who’s ever been hacked.
  • Safeguarding data is someone else’s responsibility, be it my bank, an online store or someone with more experience.
  • How am I supposed to protect my data when big organizations can’t even do it?

Stanton and Theofanos suggest that to fix this situation, it will take a multidisciplinary team of computer security experts, psychologists, sociologists and anthropologists working together to improve computer security issues, including behavior.

The researchers offered these three ways to ease security fatigue and help users maintain secure online habits and behavior:

  1. Limit the number of security decisions users need to make
  2. Make it simple for users to choose the right security action
  3. Design for consistent decision making whenever possible