Constant cyber warnings and security protocols may be negatively impacting users’ behavior. A study by the U.S. National Institute of Standards and Technology argues that as people are increasingly bombarded with security warnings, asked to manage and frequently update multiple passwords, they develop security fatigue.
When fatigue sets in, users become desensitized to security risks and engage in risky computing behavior. Since a leading cause of data breaches is employee negligence, this poses a tremendous liability to businesses. It also exposes users to risk in their personal lives.
Too Many Decisions
You’ve likely heard of decision fatigue. As people make more decisions during the day, the quality of their decision making deteriorates. For example, research has shown that the quality of judges’ rulings erodes as the day goes by. The more decisions we make through the day, the more difficult decisions become.
When we’re asked to make more decisions than we can process, our brains look for shortcuts. We tend to act impulsively, fall back on habits, or we just avoid decision making altogether. This is why President Obama only wore gray and blue suits while in office and why Mark Zuckerberg wears versions of the same T-shirt. They understand that economizing their decisions enables them to make better decisions when it matters.
Like decision fatigue, the authors argue that users reach a threshold where it becomes too difficult or burdensome to maintain proper security protocols. When this happens, they engage in less secure online behavior or fail to act. While cyber security experts view this behavior as irrational, the study’s authors argue that when viewed through the lens of security fatigue, the users’ behavior makes sense, reflecting an astute cost-benefit analysis.
Weariness, Denial, and Resignation
The researchers didn’t set out to study fatigue. But in the process of conducting a larger qualitative study, they couldn’t help but notice the participants’ indicators of fatigue. “We were completely surprised by our findings. What we found is an underlying theme of fatigue and weariness, which came with dread and resignation,” said computer scientist, Mary Frances Theofanos.
The authors noted that security fatigue led the participants to develop certain biases. They minimized the likelihood of being targeted in a security attack, maintaining they weren’t important enough for anyone to want their data. They expressed that guarding data isn’t their responsibility, leaving it up to others with more experience.
The participants also conveyed a sense of not having control, arguing that their actions don’t make a difference. “If I took all the security measures possible, and I made my password d3121, unlike scissors90, is it going to make all that difference? I don’t have to be vigilant all the time. If it is going to happen, it is going to happen.”
Easing Security Fatigue
The study offered three ways to lessen security fatigue to help users maintain secure online habits. These are:
· Limit the number of security decisions user are required to make
· Make it easier for users to take correct security actions and more difficult to take incorrect action
· Design security protocols for consistent decision making
The researchers urged security designers to be conscious of the areas of their designs that cause security fatigue. Designing with security fatigue in mind will reduce the likelihood users become resigned, complacent, or develop a sense of loss of control over their online security.