US NIST Warns Security ‘Fatigue’ is Putting Users at Risk

A reluctance to deal with computer security is putting users in danger online as they take unnecessary risks due to general fatigue with things like passwords, according to a new NIST study.

The US standards body uncovered feelings of resignation, loss of control, fatalism, risk minimization, and decision avoidance in its interviews with a range of ordinary computer users aged between 20 and 60-years-old.

The research team found respondents have grown tired of being on constant alert for online threats and of trying to understand the nuances of online security issues.

“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said co-author Mary Theofanos, in a statement.

“Years ago, you had one password to keep up with at work. Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”

The resignation and loss of control that often results from this decision and security fatigue can lead to impulsive behavior, failure to follow best practice security, and choosing the easiest option, the report claimed.

Cybersecurity was described by many as someone else’s responsibility, and respondents frequently questioned how they could improve personal data protection when large organizations continue to fall victim to hackers.

The report suggested three ways to overcome security fatigue: limit the number of decisions users must make; make it easy to choose the right security decision; and design for consistent decision making where possible.

Piers Wilson, head of product management at Huntsman Security, argued that fatigue has also spread to those working in IT security.

“As organizations have got better at detecting threats and attacks, and bought more and more control and detection solutions, the average security analyst now has an ever-growing stream of warnings and alerts to triage, investigate, understand and resolve,” he added.

“Quite often, due to well publicized staff and skills shortages, they will be working in a team that is the same size; or at least hasn't grown in line with the volume of threat information and false positives they are now dealing with.”

What’s Hot on Infosecurity Magazine?