Weary online users at risk of cybercrime

Research has revealed that ‘security fatigue’ can cause computer users to act recklessly.

Security fatigue is defined in the study by the National Institute of Standards and Technology (NIST) as a weariness or reluctance to deal with computer security. Constant security warnings may cause people to ignore online safety because they hear about it so often.

This exposes online users to risk and costs businesses money due to lost customers.

“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said Brian Stanton, cognitive psychologist and co-author.

“It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

The study draws on data from a qualitative study on computer users’ perception and beliefs about cybersecurity and online privacy. The age of the subjects ranged from 20s–60s. They lived in a range of different areas and held a variety of jobs.

The interviews focused on the subjects’ work and home computer use, specifically about online activity, including shopping and banking, computer security, security terminology and security icons and tools.

“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said Mary Theofanos, computer scientist and co-author.

“Years ago, you had one password to keep up with at work,” she said.

“Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”

The research team learned that the majority of their average computer users felt overwhelmed and bombarded. In addition, many have become tired of being on constant alert, adopting safe behaviour and trying to understand the nuances of online security issues.

When asked to make more computer security decisions than they are able to manage, they experience decision fatigue, which leads to security fatigue.

The result of weariness leads to feelings of resignation and loss of control. These reactions can also result in avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively and failing to follow security rules.

Many participants wondered why they would be targeted in a cyber attack. The data showed that many interviewees did not feel important enough for anyone to want to take their information, nor did they know anyone who had ever been hacked.

Another common sentiment expressed in the study was uncertainty as to how individuals could effectively protect their data when large organisations frequently fall victim to cyber attacks.

Methods for easing security fatigue as identified by the study include limiting the number of security decisions users need to make, making it simple for users to choose the right security action and allowing for consistent decision making whenever possible. 

To obtain a clearer picture of computer security behaviour, the researchers will be interviewing additional computer users of varying levels of responsibility. They suggest it will take a multidisciplinary team of computer security experts, psychologists, sociologists and anthropologists working together to improve computer security issues and ultimately manage security fatigue.

Image credit: ©iStockphoto.com/Yunus Arakon