Security Fatigue Is a Cyber Risk

Security Fatigue Is a Cyber Risk

September 14, 2018 Business Insurance and Risk Management, The Beacon Blog 0 Comments

I had never heard the term “security fatigue”, but according to an article by Diane Ritchey in Security Magazine the majority of computer users experience it. (The article is at

A study of computer users’ perception and beliefs about cybersecurity and privacy showed an “overwhelming feeling of weariness” according to co-author Mary Theofanos. The weariness comes from having to remember numerous passwords, PIN numbers and usernames; bombardment with security alerts; and needing to make constant security decisions. Decision fatigue leads to security fatigue resulting in users taking the path of least resistance and failing to follow security rules.

Many interviewees felt their information was not important enough for anyone to steal; did not know anyone who’d been hacked; thought security was someone else’s responsibility; or felt they could not protect their data effectively. These attitudes lead to unsafe behavior.

System administrators can ease security fatigue by limiting the number of decisions users need to make; make it simple for users to choose the right action; and design systems for consistent decision making. There are no easy answers for users; we have to train ourselves to make the right decisions until they are second nature.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.