//
you're reading...
Information Security, IT & TECHNOLOGY

Cyber Security Tip for CISOs: Beware of Security Fatigue


CSA-Logo

security-fatigue-blogWhat’s the most effective thing you can do for cyber security awareness? Stop talking about it, according to a new study that uncovered serious security fatigue among consumers. The National Institute of Standards and Technology study, published recently, found many users have reached their saturation point and become desensitized to cyber security. They’ve been so bombarded with security messages, advice and demands for compliance that they can’t take any more—at which point they become less likely to comply.

Security fatigue wasn’t even on the radar
Study participants weren’t even asked about security fatigue. It wasn’t until researchers analyzed their notes that they found eight pages (single-spaced!) of comments about being annoyed, frustrated, turned off and tired of being told to “watch out for this and watch out for that” or being “locked out of my own account because I forgot or I accidentally typed in my password incorrectly.” In fact, security fatigue was one of the most consistent topics that surfaced in the research, cited by 63 percent of the participants.

The biases tied to security fatigue
When people are fatigued, they’re prone to fall back on cognitive biases when making decisions. The study uncovered three cognitive biases underlying security fatigue:

  • Users are personally not at risk because they have nothing of value—i.e., who would “want to steal that message about how I made blueberry muffins over the weekend.”
  • Someone else, such as an employer, a bank or a store is responsible for security, and if targeted, they will be protected—i.e., it’s not my responsibility
  • No security measures will really make a difference—i.e., if Target and the government and all these large organizations can’t protect their data from cyber attacks, how can I?

The repercussions of security fatigue
The result of security fatigue is the kind of online behavior that keeps a CISO up at night. Fatigued users:

  • Avoid unnecessary decisions
  • Choose the easiest available option
  • Make decisions driven by immediate motivations
  • Behave impulsively
  • Feel a loss of control

What can you do to overcome employee security fatigue?
To help users maintain secure online habits, the study suggests organizations limit the number of security decisions users need to make because, as one participant said, “My [XXX] site, first it gives me a login, then it gives me a site key I have to recognize, and then it gives me a password. If you give me too many more blocks, I am going to be turned off.”

The study also recommends making it simple for users to choose the right security action. For example, if users can log in two ways—either via traditional username and password or via a more secure and more convenient personal identity verification card—the card should show up as the default option.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 124,624 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,533 other followers

Twitter Updates

Archives

November 2016
M T W T F S S
« Sep   Dec »
 123456
78910111213
14151617181920
21222324252627
282930  
%d bloggers like this: