Back in the day—just ten years ago—a cyber-related incident was a big deal. When a major brand was breached on the internet, people freaked out. It was pretty rare, but when it happened—it was something to remember. Today, cyber risk warnings feel almost constant. When we aren’t hearing about a big-time breach or celebrity vulnerability, we’re being bombarded with security prognostications of certain doom and gloom. It can be downright exhausting.
It’s not that the warnings are misplaced; it’s just that people can’t take the onslaught, and they eventually tune it out. It’s our nature, and it’s known as “security fatigue.” In fact, a 2016 study by the National Institute of Standards and Technology (NIST) found that the majority of typical computer users who experience security fatigue often engage in risky computing behavior at work and in their personal lives, mostly because they are tired of caring so much.
Case In Point: Cookie Fatigue, Courtesy of GDPR
But what about those folks who don’t know anything about cookies? Maybe they select the “manage cookies” link the first couple of times. But after that? I’m betting 100% of people just click through. Despite the good intention of trying to help people take some level of data privacy into their own hands, the net result is it creates too many interruptions, so people simply ignore it and try to move past the cookie conversation as quickly as they can—after all, they have stuff to do. Just a few months have passed, but we’ve all got cookie fatigue. In the grand scheme of things, cookies aren’t at the top of the security risk list, but anything that contributes to security fatigue can lead to serious, long-term security consequences.
Security Fatigue Isn’t Just An End-user Problem
Security fatigue happens at the organizational level, too. Tools generate so many alerts. There are so many different international, federal, and state data privacy regulations. Vendors issue so many patches and updates. Users have so many devices. There’s so much data being created, transferred, and stored. It’s so … much. And with the global shortage of cybersecurity talent, infosec teams are running lean. It’s no wonder burnout is a huge industrywide problem.
And it’s not just in the security trenches. Right now, corporate boards are facing increased cybersecurity scrutiny and liability exposure, especially in public companies. This can be a good thing. It gives non-technical executive leaders an incentive to learn at least the basics of cyber risk. And it motivates companies to invest in securing the company’s data and systems, and in protecting employees, customers, and partners. But when the newness and scariness of the board-level security spotlight starts to wear off, security fatigue will set in here, too.
What Kind of Problem Is It—and What’s the Solution?
Is it about technology? Training? Regulation? None of these approaches alone will address the issue. Some cyberattacks are purely technology-based—they exploit system vulnerabilities—and we need to close those holes. But many attacks exploit human vulnerabilities, and that’s where it gets tough. The problem with both training and regulations is they tend to be reactive. That might have been fine in the “early days” when hacking was more of an individual sport (and long before security fatigue). But today, cyber criminals are smart, sophisticated, and highly organized. They are always looking for new angles or approaches to infiltrate systems. And as long as humans are fallible, there will be a limitless number of potential attack vectors to exploit.
We need to teach people how to be smart about security and build better habits. We need to do more than just spot the tricks used in the past, which simply move the goalposts and contribute to the noise resulting in security fatigue. If you tell people not to respond to emails from Nigerian princes, they may still fall for a phishing email that looks like it came from their bank. (There’s got to be a clever “give a man a phish/teach a man to phish” joke in here somewhere…”)
And then, from a technology perspective, we need to make it easy for users to make smart decisions. The NIST report concluded that there are three ways to alleviate security fatigue:
- Limit the number of security decisions users need to make.
- Make it simple for users to choose the right security action.
- Design for consistent decision-making whenever possible.
As for regulations, if we do a good job of making good cybersecurity habits as natural as locking your house every time you leave, and supporting that with systems that make it easy to stay safe, there will be far less need to attempt to legislate desired behavior (“attempt” being the operative word).
It’s tempting to compare security fatigue to Chicken Little. Chicken Little was mistaken in his belief that disaster was imminent, but in our world, the sky really can fall (metaphorically speaking) and cause a lot of damage. Which is why we need to help users be smart about security, without the fatigue.