NIST study warns on cyber ‘security fatigue’
A majority of computer users suffer from “security fatigue” — a weariness of or reluctance to engage with cybersecurity — that leads them into risky behavior online, according to a new study by government scientists.
“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said study co-author Mary Theofanos, a computer scientist at the National Institute for Standards and Technology.
“Years ago, you had one password to keep up with at work,” she said in a NIST blog post Tuesday. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”
The study — out this week in IT Professional, a journal published by the prestigious Institute of Electrical and Electronics Engineers — draws on interviews with 40 computer users carried out under a “semistructured” protocol, meaning the participants were all asked the same open-ended questions.
“Interview questions addressed online activities; computer security perceptions; and the knowledge and use of security icons, tools, and terminology,” the researchers said.
The answers were analyzed using qualitative techniques rather than statistical ones, meaning researchers studied the language used by respondents rather than just counting how many gave which answers. Therefore, although the interviewees ranged in age from their 20s to their 60s, lived in urban, suburban and rural areas, and held a variety of jobs, they are not mathematically representative of the U.S. population as a whole, and the study is not statistically valid.
Nonetheless, the authors note that, although there were no questions asked about security fatigue, more than half of respondents reported feeling “overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.”
“Resignation and loss of control”
The multidisciplinary team of researchers — three from NIST and one independent — found that users’ weariness led to feelings of “resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.” In turn, that made them prone to “avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules” both at work and in their personal online activities including banking and shopping.
Some responses highlighted by the study’s authors as typical include:
- “I get tired of remembering my username and passwords.”
- “I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.”
- “It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.”
Respondents also expressed skepticism that they would ever be targeted by hackers. “The data showed that many interviewees did not feel important enough for anyone to want to take their information, nor did they know anyone who had ever been hacked,” states the blog post.
Calling the findings, “critical,” cognitive psychologist and study co-author Brian Stanton said, “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”
The study suggests three ways employers and service providers can try to alleviate security fatigue and “help users maintain secure online habits and behavior.” They are:
- Limit the number of security decisions users need to make;
- Make it very simple for users to choose the right security action; and
- Design to encourage consistent decision making whenever possible.
The blog post says the researchers will continue their work, and will next interview additional professional computer users “of varying levels of responsibility, including cybersecurity professionals; mid-level employees with responsibilities to protect personally identifiable information in fields such as health care, finance and education; and workers who use computers but for whom security is not their primary responsibility.