Nav: Home

'Security fatigue' can cause computer users to feel hopeless and act recklessly

October 04, 2016

After updating your password for the umpteenth time, have you resorted to using one you know you'll remember because you've used it before? Have you ever given up on an online purchase because you just didn't feel like creating a new account?

If you have done any of those things, it might be the result of "security fatigue." It exposes online users to risk and costs businesses money in lost customers.

A new study from National Institute of Standards and Technology (NIST) researchers found that a majority of the typical computer users they interviewed experienced security fatigue that often leads users to risky computing behavior at work and in their personal lives.

Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. As one of the study's research subjects said about computer security, "I don't pay any attention to those things anymore...People get weary from being bombarded by 'watch out for this or watch out for that.'"

"The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people's everyday life," cognitive psychologist and co-author Brian Stanton said. "It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet."

"If people can't use security, they are not going to, and then we and our nation won't be secure," Stanton said.

The study, published this week in IEEE's IT Professional, draws on data from a qualitative study on computer users' perception and beliefs about cybersecurity and online privacy. The subjects ranged in age from their 20s to their 60s, hailed from urban, suburban and rural areas, and held a variety of jobs.

The interviews focused on the subjects' work and home computer use, specifically about online activity, including shopping and banking, computer security, security terminology, and security icons and tools.

"We weren't even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data," computer scientist and co-author Mary Theofanos said.

"Years ago, you had one password to keep up with at work," she said. "Now people are being asked to remember 25 or 30. We haven't really thought about cybersecurity expanding and what it has done to people."

The multidisciplinary team learned that the majority of their average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.

When asked to make more computer security decisions than they are able to manage, they experience decision fatigue, which leads to security fatigue.

Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.

Comments among those who expressed feelings of security fatigue included:
  • "I get tired of remembering my username and passwords."

  • "I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.

  • "It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly."

Participants also wonder why they would be targeted in a cyberattack. The data showed that many interviewees did not feel important enough for anyone to want to take their information, nor did they know anyone who had ever been hacked.

Commenters also expressed the sentiment that safeguarding data is someone else's responsibility, leaving computer security up to their bank, online store or someone with more experience.

Individuals also questioned how they could effectively protect their data when large organizations frequently fall victim to cyberattacks.

The data provided evidence for three ways to ease security fatigue and help users maintain secure online habits and behavior. They are:

  1. Limit the number of security decisions users need to make;

  2. Make it simple for users to choose the right security action; and

  3. Design for consistent decision making whenever possible.

To obtain a clearer picture of computer security behavior, the researchers will be interviewing additional computer users of varying levels of responsibility, including cybersecurity professionals; mid-level employees with responsibilities to protect personally identifiable information in fields such as health care, finance and education; and workers who use computers but for whom security is not their primary responsibility.

Stanton and Theofanos suggest it will take a multidisciplinary team of computer security experts, psychologists, sociologists and anthropologists working together to improve computer security issues, including behavior, to manage security fatigue.
-end-
B. Stanton, M.F. Theofanos, S.S. Prettyman, S. Furman. Security Fatigue. IT Professional, Sept.-Oct. 2016. DOI: 10.1109/MITP.2016.84

National Institute of Standards and Technology (NIST)

Related Health Care Articles:

Care management program reduced health care costs in Partners Pioneer ACO
Pesearchers at Partners HealthCare published a study showing that Partners Pioneer ACO not only reduces spending growth, but does this by reducing avoidable hospitalizations for patients with elevated but modifiable risks.
Health care leaders predict patients will lose under President Trump's health care plans
According to a newly released NEJM Catalyst Insights Report, health care executives and industry insiders expect patients -- more than any other stakeholder -- to be the big losers of any comprehensive health care plan from the Trump administration.
The Lancet: The weaponisation of health care: Using people's need for health care as a weapon of war over six years of Syrian conflict
Marking six years since the start of the Syrian conflict (15 March), a study in The Lancet provides new estimates for the number of medical personnel killed: 814 from March 2011 to February 2017.
In the January Health Affairs: Brazil's primary health care expansion
The January issue of Health Affairs includes a study that explores a much-discussed issue in global health: the role of governance in improving health, which is widely recognized as necessary but is difficult to tie to actual outcomes.
Advocacy and community health care models complement research and clinical care
Global lung cancer researchers and patient advocates today emphasized that new models of delivering care and communicating about cancer care play an important role in the fight against lung cancer.
About 1 million Texans gained health care coverage due to Affordable Care Act
Texas has experienced a roughly 6 percentage-point increase in health insurance coverage from the Affordable Care Act, according to new research by experts at Rice University and the Episcopal Health Foundation.
In India, training informal health-care providers improved quality of care
Training informal health-care providers in India improved the quality of health care they offered to patients in rural regions, a new study reports.
Affordable Care Act has improved access to health care, but disparities persist
The Affordable Care Act has substantially decreased the number of uninsured Americans and improved access to health care, though insurance affordability and disparities by geography, race/ethnicity, and income persist.
Integrated team-based care shows potential for improving health care quality, use and costs
Among adults enrolled in an integrated health care system, receipt of primary care at integrated team-based care practices compared with traditional practice management practices was associated with higher rates of some measures of quality of care, lower rates for some measures of acute care utilization, and lower actual payments received by the delivery system, according to a study appearing in the Aug.
Study finds quality of care in VA health care system compares well to other settings
The quality of health care provided to US military veterans in Veterans Affairs (VA) facilities compares favorably with the treatment and services delivered outside the VA.

Related Health Care Reading:

Best Science Podcasts 2019

We have hand picked the best science podcasts for 2019. Sit back and enjoy new science podcasts updated daily from your favorite science news services and scientists.
Now Playing: TED Radio Hour

Digital Manipulation
Technology has reshaped our lives in amazing ways. But at what cost? This hour, TED speakers reveal how what we see, read, believe — even how we vote — can be manipulated by the technology we use. Guests include journalist Carole Cadwalladr, consumer advocate Finn Myrstad, writer and marketing professor Scott Galloway, behavioral designer Nir Eyal, and computer graphics researcher Doug Roble.
Now Playing: Science for the People

#529 Do You Really Want to Find Out Who's Your Daddy?
At least some of you by now have probably spit into a tube and mailed it off to find out who your closest relatives are, where you might be from, and what terrible diseases might await you. But what exactly did you find out? And what did you give away? In this live panel at Awesome Con we bring in science writer Tina Saey to talk about all her DNA testing, and bioethicist Debra Mathews, to determine whether Tina should have done it at all. Related links: What FamilyTreeDNA sharing genetic data with police means for you Crime solvers embraced...