Security Fatigue Is a Cyber Risk
I had never heard the term “security fatigue”, but according to an article by Diane Ritchey in Security Magazine the majority of computer users experience it. (The article is at https://www.securitymagazine.com/articles/89370-curing-security-fatigue.)
A study of computer users’ perception and beliefs about cybersecurity and privacy showed an “overwhelming feeling of weariness” according to co-author Mary Theofanos. The weariness comes from having to remember numerous passwords, PIN numbers and usernames; bombardment with security alerts; and needing to make constant security decisions. Decision fatigue leads to security fatigue resulting in users taking the path of least resistance and failing to follow security rules.
Many interviewees felt their information was not important enough for anyone to steal; did not know anyone who’d been hacked; thought security was someone else’s responsibility; or felt they could not protect their data effectively. These attitudes lead to unsafe behavior.
System administrators can ease security fatigue by limiting the number of decisions users need to make; make it simple for users to choose the right action; and design systems for consistent decision making. There are no easy answers for users; we have to train ourselves to make the right decisions until they are second nature.