'Security Fatigue' Complicates the Battle Against Data Breaches

With the news of a second, even bigger hack of Yahoo user data, common sense might conclude that consumers would be scurrying to batten down their Internet hatches. But a new study indicates otherwise, concluding that “security fatigue" has made many of us numb to the dangers lurking in cyberspace.

“Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” a team from the U.S. National Institutes of Standards and Technology concluded in an article for IT Professional, which is published by IEEE Computer Society. “All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”

The study by Brian Stanton, Mary F. Theofanos and Susanne Furman, all of NIST, along with independent consultant Sandra Spickard Prettyman have indeed reached this saturation point.

So, the announcement in December by Yahoo that it has identified another security breach, from 2013, that compromised passwords, birthdays and other personal information from more than 1 billion accounts, will likely do little to bolster Internet security – at least among average users.

In fact, with the rise of mobile, the Internet of things and the continued linking of just about everything in our personal and professional lives to global networks, the study underscores what many have long warned will be a growing number of increasingly bigger security breaches, from distributed denial of service, or DDoS, attacks, to hacks of retail, banking, healthcare and other sites that we freely share our personal information with on a daily basis.

The report is based on an analysis the authors did of a larger study of average computer users in the Washington, D.C., and Central Pennsylvania in 2011.

Although that original study did not specifically address security fatigue, the authors say they began to notice “many indicators in which fatigue surfaced as participants discussed their perceptions and beliefs about online privacy and security.”

 After recoding the data, they said, security fatigue surfaced in 25 of 40 interviews, and was one of the most consistent codes among the dataset.

“I think I am desensitized to it,” one respondent is quoted as saying. “I know bad things can happen. You get this warning that some virus it going to attack your computer, and you get a bunch of emails that say don’t’ open any emails, blah, blah, blah. I think I don’t pay attention to those anymore because it’s in the past. People get weary of being bombarded by ‘watch out for this or watch out for that.’”

The authors said the data shows participants often don’t feel personally at risk, or assume they are not important enough for anyone to care about stealing their information. They highlight several comments in which they say the “frustrated tone, minimization of risk and devaluating of information is evident. 

“It doesn’t appear to me that it poses such a huge security risk,” one wrote. “I don’t work for the state department, and I am not sending sensitive information in an email. So, if you want to steal the message about (how) I made blueberry muffins over the week, then go ahead and steal that.”

Another wrote: “If someone needs to hack into my emails to read stuff, they have problems. They need more important things to do.”

What many of the respondents apparently don’t realize, is that while their personal communications and information may be of little value to hackers and cyber thieves on its face, their lax security practices enable the bad guys to hijack their computers and networks and use them in broader attacks, such as DDoS attacks that can cause huge crashes across the Internet.

So what can the IT community do? The researchers said it’s time to “rethink the way we currently conceptualize the public’s relationship to cybersecurity.”

They make three specific recommendations:

(i) limit the decisions users have to make related to security,
(ii) make it easier for them to do the right thing and
(iii) provide consistency whenever possible.

For example, in the workplace, they suggest offering different ways for users to log into the system, including an option between a traditional user name and password or the use of a personal identification and verification card.

“As IT professionals, it is our responsibility to take up this challenge and work to alleviate the security fatigue users’ experience,” they write.

“…We must also continue to investigate users’ beliefs, knowledge, and use of cybersecurity advice and the factors, such as security fatigue, that inform them, so we can ultimately provide more benefit and less cost for adopting cybersecurity advice that will keep users safe online.”

In other words, improving online security is going to require a concerted effort to not only educate computer users about the need to follow security guidelines, but also provide them much easier ways to keep their data safe on an ongoing basis.