A study by the U.S. National Institute of Standards and Technology (NIST) found a general feeling of “overwhelming weariness” among computer users faced with security alerts. As the BBC reports, the group’s interviewers weren’t initially assessing subjects for security fatigue. However, it began to look into the issue as the number of reports grew.
NIST defined security fatigue as “a weariness or reluctance” to deal with computer security. The study cited one respondent who said “I don’t pay any attention to those things anymore.” The group found security fatigue has occurred as a consequence of incessant warnings and alerts regarding online threats and computer viruses.
Many subjects said they feel “overwhelmed” by the pressure to be vigilant while browsing the internet. Complicated security and privacy policies on websites and at work leave people feeling worn out. Over time, users naturally begin to ignore the advisories, despite the important security messages within. This leads to neglect of best practices and an increased risk of attack.
The study also found that many people are worn down by the number of passwords and PIN codes they need to remember to access online services. Additional security steps imposed by banks and other sensitive sites also frustrate consumers, causing people to make poor choices when creating security information and setting up new accounts.
“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said computer scientist and co-author Mary Theofanos. “Years ago, you had one password to keep up with at work. Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”
The researchers behind the study suggested three effective ways to reduce security fatigue and convince users to adopt good habits online. First and foremost, the number of decisions a user needs to make should be limited. This prevents people from feeling bombarded by constant choices and demands for additional input.
Next, the best security action to take should be emphasised, making it simpler for users to see what they need to do and why. The team also advised that application developers design for consistent decision making wherever possible. This makes the security process more predictable for the user, so they’re more likely to follow it through to completion.
As a consequence of the study, NIST has decided to complete additional research into the security views of computer users with varying levels of responsibility. Previously, it concentrated on members of the public aged between 20 and 70. The group will now target individual roles, such as cybersecurity professionals, mid-level employees with responsibility for personally identifiable information and workers who use computers but are not primarily concerned with security.
The study suggests that recent reports of hacks, malware campaigns, malicious adverts and ransomware attacks have overwhelmed computer users. Faced with a barrage of information, most people have naturally blocked it out, leaving themselves less secure online. Cybersecurity experts, app developers and the media have all played a role in creating the state of “security fatigue.” Now a way needs to be found to reverse the concerning trend.
