Security Fatigue: When security reaches saturation point
When was the last time you got a security alert on your device prompting you to run a malware scan, update device security settings, or activate multi-factor authentication? Quite recently I’d imagine, maybe even earlier today. Such protocols reflect years upon years of research, development, and learning about cyber threats, security, and vulnerabilities to curate processes that ultimately protect us, our devices, and our data in the digital environment. But there is a silver bullet to these methods. Current online security maintenance for users never fails to remind us that we must be constantly attentive online, but this can be burdensome and have adverse effects. One outcome of this constant badgering to run software updates, change passwords and maintain digital hygiene is that at one point or another, users shout “enough” and they stop changing passwords or double-checking links they receive from others via email or text. Users reach a saturation point, a threshold where the effort to maintain cybersecurity is no longer perceived as worthwhile, and a desensitization to security concerns sets in. This experience has become known as security fatigue, something that I’m sure will sound extremely relatable by the end of this article.
To better understand security fatigue, we must first look at what causes it. As previously mentioned, the constant reminder to be alert or aware of online risks and the expectation that users must use the internet with heightened vigilance and security at the forefront of their minds are partially to blame. This information overloads and tires out users as they try to grasp the ever-changing do’s and don’ts of online security. This exhaustion is how security fatigue manifests. In relation to this, security fatigue is also triggered by decision-making fatigue, in which individuals that are being asked to make more decisions than they can process, choose to avoid decision-making. This can appear as behaving impulsively or feeling an overall sense of resignation and loss of control over their actions online. So, when users are bombarded with security-orientated decisions, they opt for the easy way out. Just like how when we download new software or sign-up for a website, we all tend to click “accept” immediately when presented with the terms of service rather than actually reading them. One final cause of security fatigue is doubt that the proposed security recommendations will make users more secure. As security recommendations don’t demonstrate direct benefit to users, they are unable to create a linkage between their risk-aversive actions and actual success in effectively averting security threats.
Security fatigue affects both internet users of the general public and within organizations and can manifest in different forms. These include authentication fatigue, cognitive fatigue, data breach fatigue, and many more. When left feeling overwhelmed by security requirements, the decisions users make tend to be based on coping mechanisms rather than sound security-oriented judgment. This is particularly the case for security behaviors that have no inherent benefit for the user, and the most illustrative example of this is password fatigue.
High-level password hygiene means having different passwords for different accounts, each being at least 16 characters long and containing a combination of uppercase letters, lowercase letters, numbers, and symbols, which are routinely changed. In addition to this, enabling multi-factor authentication and being cautious of what sites you input passwords into would further strengthen them, but, let’s focus on the password itself for now.
Secure password criteria are as annoying to implement as they are to maintain, so it comes as no surprise that many people sooner resort to bad password habits despite knowing the risks it opens them up to. In fact, 51% of people use the same password for both work and personal accounts, and the average password length is 8 characters. Furthermore, it is common for IT professionals to reuse passwords more than average users do. While memorizing hundreds of different, complex credentials would be a Sisyphean task, one solution to avoid this fatigue would be to download an offline password manager. Password managers enable users to generate and store unique passwords for each of their accounts and to access them only the master password must be memorized.
While the right tools and information are available to users to maintain proper cybersecurity, the manner in which they are presented to them is overwhelming to the point that the security recommendations become counterproductive. As such, there is a need to reassess the relationship between internet users and cybersecurity. Furthermore, decision-making for users relating to cybersecurity should be revised to embolden users and motivate them to take the necessary security precautions rather than overload them and leave them less secure than before.