The Problem of Employee Security Fatigue and How to Overcome It
Does your organization suffer from security fatigue? They probably do. That’s according to a new study from NIST.
Common symptoms of security fatigue include updating your password with a slight variation on the last one and a “weariness or reluctance to deal with computer security.” All of which can cause computer users to feel and act recklessly.
It’s easy to see why. Each day we’re bombarded with cybersecurity reminders, best practices, and do’s and don’ts. To the point where we tend to block it out.
The consumer study focused on the subject’s home and work computer use, and habits that pertain to online activity – shopping, banking, and computer security. Findings show that the majority of users feel bombarded and overwhelmed by the endless need to be on constant alert and practice safe online habits. Many are even complacent and wonder why they would be a target of attack and that it’s someone else’s problem to protect them – their bank, online store, etc.
“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” computer scientist and co-author Mary Theofanos said.
“Years ago, you had one password to keep up with at work,” she said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”
Given the fact that our personal cybersecurity habits (often impulsive and lacks) tend to extend to the workplace, exposing potentially sensitive government or corporate information, NIST recommends that organizations can help users minimize security fatigue in three ways:
1. Limit the number of security decisions users need to make;
2. Make it simple for users to choose the right security action; and
3. Design for consistent decision making whenever possible.
Check out the full study here.