An overabundance of security news and alerts has led to “security fatigue,” which is causing users to make bad choices when it comes to online security, suggests a report from the National Institute of Standards and Technology (NIST).
Although the report just came out Oct. 4, the data collection for the study took place from January to March 2011 and included 40 interviews with participants, including men and women from the Washington, D.C., metropolitan area and central Pennsylvania. The report is one of many that are likely to debut this month, which has been dubbed National Cyber-Security Awareness Month (NCSAM).
“We were completely surprised by the findings,” report co-author and NIST computer scientist Mary Theofanos said in a video discussing the results. “We found this underlying theme of fatigue and weariness, which came with dread and resignation.”
Theofanos explained that the more decisions an individual makes in the course of the day, the harder it is to make decisions. When individuals get tired of making decisions, their brains go into another mode to either avoid decisions or fall back on existing habits, she said.
This so-called security fatigue phenomena is a key reason users are reusing passwords and perhaps not taking all the right measures to stay safe online.
The idea of security fatigue is not surprising to me, and it’s a challenge that I grapple with every day as the volume of data breaches and security exploits seems to be never-ending.With so much bad news, it’s almost understandable why some people might just resign themselves to the fact that online security is out of reach.
A defeatist attitude, however, is not the right answer. It’s just a symptom of security fatigue. People reuse passwords not because they want to get hacked but because it’s easier to remember a password they already use. The internet and technology, in general, are adopted by consumers not because it is hard to consume, but rather because it is easy and useful.
NIST has three primary suggestions to help reduce security fatigue:
- Limit the number of security decisions users need to make;
- Make it simple for users to choose the right security action; and
- Design for consistent decision making whenever possible.
All of those suggestions are clearly valuable, as they place the onus of responsibility on application developers and vendors to enable users to make the right choices. Although that’s helpful, it can also potentially remove users from elements of the security decision-making process.
Back in 2014, Alex Stamos, Yahoo’s chief information security officer at the time, told attendees at the Black Hat USA conference that to keep users secure, big vendors like Yahoo needed to take a “security paternalistic” approach in which the vendor knows how to protect users.
Stamos left Yahoo in 2015, and this past week, we learned that his departure may have been tied to an effort from Yahoo to scan user emails at the request of the National Security Agency.
As such, can or should users really trust big vendors and service providers to know and do what’s best?
It’s not an easy question to answer. The simple fact, though, is that application developers and internet sites like Yahoo have more resources and expertise than any one individual user is likely to have. As NIST suggests, there are steps that vendors can take to reduce security fatigue, but users for their own safety still must take some responsibility.
It is the right thing for developers to build applications that are secure by design—that limit the risks of exploitation and enforce strong authentication principles. User experience must not be considered a higher priority than security, and vice versa.
Typically, my own smart-aleck response whenever someone talks to me about fatigue is to tell them to simply sleep more and get some rest. In the modern always-on world, the constant need to be connected and stay secure doesn’t allow for rest. But maybe, just maybe, if application developers and vendors follow NIST’s three suggestions, users will get the short respite they need to avoid security fatigue.
Sean Michael Kerner is a senior editor at eWeek and InternetNews.com. Follow him on Twitter @TechJournalist.