Fatigue affects both users and businesses
A new study from the National Institute of Standards and Technology (NIST) examined the phenomenon of "security fatigue" and what it means for cybersecurity today.
Researchers looked into how "security fatigue" -- carelessly using the same password, abandoning a transaction because of the need to create a new account -- affects online experiences across the board. In the study, NIST researchers used various data techniques to identify security fatigue amongst web users. Once identified, researchers also analyzed contributing factors, symptoms, and outcomes of fatigue.
According to the NIST, security fatigue is a negative for both users and businesses. Fatigue increases overall security risks for users, while it can take money out the pockets of businesses.
Researchers not directly studying fatigue
Fatigue was not even an original component the interview protocol. However, as researchers began to interview participants, issues with fatigue continually appeared.
"We weren't even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data." -- Mary Theofanos, computer scientist and co-author of the study
Throughout the study, participants showed a number of telltale signs of security fatigue -- resignation, loss of control, decision avoidance, etc.
— NIST (@usnistgov) October 12, 2016
Easing security fatigue
The NIST laid out three easy steps to easing the fatigue that so many users experience now:
-- Limit security decisions for users.
-- Simplify security action choices for users.
-- Use design to increase consistency in decision making.