Many people abandon security, risky behavior surges

‘Security fatigue’ is behind an increase in risky online and computer behavior, a new NIST study finds

Many people abandon security, risky behavior surges

People are sick and tired of being told to be more secure in their use of computers and when participating in online activities. So much so that they’re simply ignoring the blitz of annoying demands and are carrying on as imprudently as they’ve always done, according to National Institute of Standards and Technology (NIST) researchers.

The U.S. Department of Commerce-operated lab recently published a report (subscription) on the subject in IEEE’s IT Professional Journal.

The study’s participants “expressed a sense of resignation and loss of control” when the scientists asked them about their online activity, such as shopping and banking.

“Fatalism, risk minimization and decision avoidance” was prevalent, too. Those emotions and reactions imply serious “security fatigue,” and more than half of the respondents felt that way, the report found.

“I don’t pay any attention to those things anymore. People get weary from being bombarded by ‘watch out for this or watch out for that,’” one participant said when queried about thoughts on computer security.

The subjects interviewed were in a number of different jobs.

“We weren’t even looking for fatigue in our interviews,” said Mary Theofanos, computer scientist and one of the study authors, in a NIST press release. “But we got this overwhelming feeling of weariness throughout all of the data.”

What causes security fatigue?

One of the main problems is probably the sheer amount of security data and activities that people are being asked to plow through daily. That includes maintaining dozens of passwords and continuous, intrusive security updates. In the old days, one could have gotten away with just a single password. Not today, the study points out.

People haven’t been considered, Theofanos said.

“We haven’t really thought about cybersecurity expanding and what it has done to people,” she said.

And they find it all extremely frustrating, NIST said, particularly if they get locked out of an account for forgetting a password or not getting the syntax correct. It’s such a problem that they are now avoiding security and acting riskily.

That’s a problem for two reasons: The first is that businesses are losing money because people are avoiding online purchases when the process is too much of a hassle. In other words, they’re not opening new accounts because they can’t be bothered due to the security aggravation. It’s easier to stick with the accounts one already has.

And secondly, there’s an increase in the use of online banking overall, so security is actually becoming more important—yet it appears to be getting more ignored.

The financial sector is, and has been, attempting to make consumer security more palatable, though.

Non-password security options

Selfie-pay authentication is the latest password replacement to be attempted. MasterCard now allows biometric identity checks for European online payment customers. The system uses facial recognition via the camera on smartphones. A requirement to blink is supposed to help authenticate the face.

If it takes off, selfie-pay should reduce the need to remember some passwords.

It could also lead to “the complete removal of the component making online security so feeble”—passwords, said a representative of a selfie-pay company, LogMeOnce, in an email to me.

That person was referring to the hackable nature of passwords, not the potential total abandonment of security altogether thanks to the insidious security fatigue that Theofanos implies will be rampant in our future.

There’s a “lack of benefit for following security advice,” NIST claimed. The number of decisions users need to make must be reduced, actions have to be simpler, and consistent decision making should be designed in, it said.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10