What is it?
The psychological state one reaches when security decisions become too numerous and/or too complex, thus inhibiting good security practices.
Why is it important?
Security fatigue can cause weariness, hopelessness, frustration, and devaluation, all of which can result in poor security practices.
Why does a business professional need to know this?
Security fatigue — feeling tired, turned off, or overwhelmed in response to online security — makes users more likely to ignore security advice and engage in online behaviors that put them at risk. Users favor following practices that make things easier and less complicated, even if they recognize that these practices may not be as secure.
Security fatigue presents a significant challenge to efforts to promote online security and online privacy. The ability to make decisions is a finite resource. Security fatigue is a cost that users experience when bombarded with security messages, advice, and demands for compliance.
Too often, individuals are inundated with security choices and asked to make more security decisions than they are able to process. Adopting security advice is an ongoing cost that users continue to experience. When faced with this fatigue and ongoing security cost, users fall back on heuristics and cognitive biases such as the following:
- Avoiding unnecessary decisions
- Choosing the easiest available option
- Making decisions driven by immediate motivations
- Choosing to use a simplified algorithm
- Behaving impulsively
- Resignation
Understanding how the public thinks about and approaches cybersecurity provides us with a better understanding of how to help users be more secure in their online interactions. The following steps can help users adopt more secure online practices:
- Limit the decisions users have to make for security
- Make it easy for users to do the right thing related to security
- Provide consistency (whenever possible) in the decisions users need to make
References
- (Theofanos 2016) Cybersecurity Fatigue Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests : National Institute for Standards and Technology. Theofanos, Mary F. (2016). Explores the concept of security fatigue. Argues for the need to develop awareness of the dangers and to help alleviate the fatigue users experience.
- (Stanton 2016) Security Fatigue: Stanton, Brian et al. (2016). IT Pro Magazine, 18(5), pp. 26-32. PDF. Identifies the role security fatigue plays in security decisions. Provides three suggestions to minimize security fatigue.
About Mary Frances Theofanos
Mary Theofanos is a computer scientist with the National Institute of Standards and Technology, Materials Measurement Laboratory, where she performs research on usability and human factors of systems. Mary is the principal architect of the Usability and Security Program, evaluating the human factors and usability of cybersecurity and biometric systems. She represents NIST on the ISO JTC1 SC7 TAG and is co-convener of Working Group 28 on the usability of software systems.
Term: Security Fatigue
Email: mary.theofanos@nist.gov
Website: nist.gov/topics/cybersecurity
13 NOV 2018 NEWS
Employees’ Poor Security Habits Getting Worse, Survey Finds. How sad!
https://www.infosecurity-magazine.com/news/employees-poor-security-habits/