Skip to content

Term of the Week: Security Fatigue

What is it?

The psychological state one reaches when security decisions become too numerous and/or too complex, thus inhibiting good security practices.

Why is it important?

Security fatigue can cause weariness, hopelessness, frustration, and devaluation, all of which can result in poor security practices.

Why does a business professional need to know this?

Security fatigue — feeling tired, turned off, or overwhelmed in response to online security — makes users more likely to ignore security advice and engage in online behaviors that put them at risk. Users favor following practices that make things easier and less complicated, even if they recognize that these practices may not be as secure.

Security fatigue presents a significant challenge to efforts to promote online security and online privacy. The ability to make decisions is a finite resource. Security fatigue is a cost that users experience when bombarded with security messages, advice, and demands for compliance.

Too often, individuals are inundated with security choices and asked to make more security decisions than they are able to process. Adopting security advice is an ongoing cost that users continue to experience. When faced with this fatigue and ongoing security cost, users fall back on heuristics and cognitive biases such as the following:

  • Avoiding unnecessary decisions
  • Choosing the easiest available option
  • Making decisions driven by immediate motivations
  • Choosing to use a simplified algorithm
  • Behaving impulsively
  • Resignation

Understanding how the public thinks about and approaches cybersecurity provides us with a better understanding of how to help users be more secure in their online interactions. The following steps can help users adopt more secure online practices:

  • Limit the decisions users have to make for security
  • Make it easy for users to do the right thing related to security
  • Provide consistency (whenever possible) in the decisions users need to make

References

About Mary Frances Theofanos

Photo of Mary Frances Theofanos

Mary Theofanos is a computer scientist with the National Institute of Standards and Technology, Materials Measurement Laboratory, where she performs research on usability and human factors of systems. Mary is the principal architect of the Usability and Security Program, evaluating the human factors and usability of cybersecurity and biometric systems. She represents NIST on the ISO JTC1 SC7 TAG and is co-convener of Working Group 28 on the usability of software systems.

Term: Security Fatigue

Email: mary.theofanos@nist.gov

Website: nist.gov/topics/cybersecurity

1 thought on “Term of the Week: Security Fatigue

Leave a Reply