Security fatigue is real – we need usable security

A preliminary study involving 40 computer users of different ages, occupations, and living in different settings has shown what most of use already know to be true: security fatigue is a real thing.

Security fatigue: Users face too many security decisions

Security fatigue – weariness from dealing with computer security as well as reluctance to do so – leads to risky computing behavior such as avoiding security decisions altogether and going with the easiest option, failure to follow security rules, and so on. It also carries with it a sense of dread and, ultimately, resignation.

The subjects were asked details about their home and work computer use, and about computer security, security terminology, security icons and tools.

Aside from an obvious disbelief in the idea that they could be important enough to be targeted in a cyberattack, the responses also showed an “overwhelming feeling of weariness”.

The respondents are tired of having to memorize usernames and passwords, PINs and security questions; of having to be constantly wary of possible dangers, of having to discern the subtleties of different online security issues, and of having to make (too many) smart decisions to keep themselves secure.

“The more decisions we make in the course of the day, the harder they become,” says computer scientist Mary Theofanos, who is one of the authors of the study. And once users reach the stage when they are simply too tired to make them, they either begin avoiding making a decision altogether, or fall back into (usually bad) habits.

Instilling good security habits into users is, of course, one of the solutions to this problem.

Others include organizations (banks, online retailers, and so on) making it simple for users to opt for the right security action, designing their offerings in a way that pushes users towards consistent decision making, and minimizing the number of security decisions users are asked to make.

In short, organizations should make it easy for users to do the right thing, make it hard to do the wrong thing, and help users to recover when the wrong thing happens, says Theofanos.

The researchers are set to continue the interviews about online security, and will include subjects such as cybersecurity professionals, employees tasked with keeping user data secure, and employees who are not but use computers in their day-to-day job.

Creating usable security is critical, study co-author Brian Stanton noted, as more and more information gets moved to the Internet, and more and more everyday tasks are performed online.