NIST finds security fatigue endemic among computer users
A new study by the National Institute of Standards and Technology (NIST) found that a majority of typical computer users experience “security fatigue” that often leads to risky computing behavior at work and in their personal lives.
Security fatigue is defined in the study as a weariness or reluctance to deal with computer security.
“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said Brian Stanton, a cognitive psychologist and co-author of the report . “It is critical because so many people bank online, and since health care and other valuable information is being moved to the Internet.”
The study, published this week in IEEE’s IT Professional, draws on data from a qualitative study on computer users’ perception and beliefs about cybersecurity and online privacy. The subjects ranged in age from their 20s to their 60s, hailed from urban, suburban and rural areas, and held a variety of jobs.
The qualitative study’s interviews focused on the subjects’ work and home computer use, and specifically honed in on online activity, including shopping and banking, computer security, security terminology, and security icons and tools.
The study found that the majority of average computer users felt overwhelmed and bombarded, and they feel tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues. When asked to make more computer security decisions than they are able to manage, users experience decision fatigue, which leads to “security fatigue”.
Researchers found that the result of weariness leads to feelings of resignation and loss of control. Such reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.
Typical examples of security fatigue include being tired of remembering username, passwords, PIN numbers, navigating multiple security measures and account lockouts due to incorrectly entered passwords.
The study also found that users believe safeguarding data is someone else’s responsibility, and users questioned how they could effectively protect their data when large organizations frequently fall victim to cyber attacks.
According to the report’s abstract: “Security fatigue has been used to describe experiences with online security. This study identifies the affective manifestations resulting from decision fatigue and the role it plays in users’ security decisions. A semistructured interview protocol was used to collect data (N = 40). Interview questions addressed online activities; computer security perceptions; and the knowledge and use of security icons, tools, and terminology. Qualitative data techniques were used to code and analyze the data identifying security fatigue and contributing factors, symptoms, and outcomes of fatigue. Although fatigue was not directly part of the interview protocol, more than half of the participants alluded to fatigue in their interviews. Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.”
The report postulates three methods to ease security fatigue and help users maintain secure online habits and behavior. They are: limit the number of security decisions users need to make; make it simple for users to choose the right security action; and design for consistent decision making whenever possible.
To obtain a clearer picture of computer security behavior, the researchers will be interviewing additional computer users in the near term, of varying levels of responsibility, including: cybersecurity professionals; mid-level employees with responsibilities to protect personally identifiable information in fields such as health care, finance and education; and workers who use computers but for whom security is not their primary responsibility.
The full report is available to IEEE paid subscribers.