Cyber Security Tip for CISOs: Beware of Security Fatigue

What’s the most effective thing you can do for cyber security awareness? Stop talking about it, according to a new study that uncovered serious security fatigue among consumers. The National Institute of Standards and Technology study, published recently, found many users have reached their saturation point and become desensitized to cyber security. They’ve been so bombarded with security messages, advice and demands for compliance that they can’t take any more—at which point they become less likely to comply.

Security fatigue wasn’t even on the radar
Study participants weren’t even asked about security fatigue. It wasn’t until researchers analyzed their notes that they found eight pages (single-spaced!) of comments about being annoyed, frustrated, turned off and tired of being told to “watch out for this and watch out for that” or being “locked out of my own account because I forgot or I accidentally typed in my password incorrectly.” In fact, security fatigue was one of the most consistent topics that surfaced in the research, cited by 63 percent of the participants.

The biases tied to security fatigue
When people are fatigued, they’re prone to fall back on cognitive biases when making decisions. The study uncovered three cognitive biases underlying security fatigue:

• Users are personally not at risk because they have nothing of value—i.e., who would “want to steal that message about how I made blueberry muffins over the weekend.”
• Someone else, such as an employer, a bank or a store is responsible for security, and if targeted, they will be protected—i.e., it’s not my responsibility
• No security measures will really make a difference—i.e., if Target and the government and all these large organizations can’t protect their data from cyber attacks, how can I?

The repercussions of security fatigue
The result of security fatigue is the kind of online behavior that keeps a CISO up at night. Fatigued users:

• Avoid unnecessary decisions
• Choose the easiest available option
• Make decisions driven by immediate motivations
• Behave impulsively
• Feel a loss of control

What can you do to overcome employee security fatigue?
To help users maintain secure online habits, the study suggests organizations limit the number of security decisions users need to make because, as one participant said, “My [XXX] site, first it gives me a login, then it gives me a site key I have to recognize, and then it gives me a password. If you give me too many more blocks, I am going to be turned off.”

The study also recommends making it simple for users to choose the right security action. For example, if users can log in two ways—either via traditional username and password or via a more secure and more convenient personal identity verification card—the card should show up as the default option.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]