[Cryptography] Security Fatigue
Bill Frantz
frantz at pwpconsult.com
Sun Oct 9 02:28:38 EDT 2016
Oops. Copy/paste error. I should have liked
<https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly>.
I didn't have any problem viewing the paper at this link. A text
version of what I saw is:
‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless
and Act Recklessly, New Study Suggests
October 04, 2016
After updating your password for the umpteenth time, have you
resorted to using one you know you’ll remember because
you’ve used it before? Have you ever given up on an online
purchase because you just didn’t feel like creating a new account?
If you have done any of those things, it might be the result of
“security fatigue.” It exposes online users to risk and
costs businesses money in lost customers.
A new study from the National Institute of Standards and
Technology (NIST) found that a majority of the typical computer
users they interviewed experienced security fatigue that often
leads users to risky computing behavior at work and in their
personal lives.
Security fatigue is defined in the study as a weariness or
reluctance to deal with computer security. As one of the
study’s research subjects said about computer security, “I
don’t pay any attention to those things anymore…People get
weary from being bombarded by ‘watch out for this or watch out
for that.’”
“The finding that the general public is suffering from
security fatigue is important because it has implications in the
workplace and in people’s everyday life,” cognitive
psychologist and co-author Brian Stanton said. “It is critical
because so many people bank online, and since health care and
other valuable information is being moved to the internet.”
“If people can’t use security, they are not going to, and
then we and our nation won’t be secure,” Stanton said.
The study, published this week in IEEE’s IT Professional,
draws on data from a qualitative study on computer users’
perception and beliefs about cybersecurity and online privacy.
The subjects ranged in age from their 20s to their 60s, hailed
from urban, suburban and rural areas, and held a variety of jobs.
The interviews focused on the subjects’ work and home computer
use, specifically about online activity, including shopping and
banking, computer security, security terminology, and security
icons and tools.
“We weren’t even looking for fatigue in our interviews, but
we got this overwhelming feeling of weariness throughout all of
the data,” computer scientist and co-author Mary Theofanos said.
“Years ago, you had one password to keep up with at work,”
she said. “Now people are being asked to remember 25 or 30. We
haven’t really thought about cybersecurity expanding and what
it has done to people.”
The multidisciplinary team learned that the majority of their
average computer users felt overwhelmed and bombarded, and they
got tired of being on constant alert, adopting safe behavior,
and trying to understand the nuances of online security issues.
When asked to make more computer security decisions than they
are able to manage, they experience decision fatigue, which
leads to security fatigue.
Researchers found that the result of weariness leads to feelings
of resignation and loss of control. These reactions can lead to
avoiding decisions, choosing the easiest option among
alternatives, making decisions influenced by immediate
motivations, behaving impulsively, and failing to follow
security rules.
Comments among those who expressed feelings of security fatigue included:
“I get tired of remembering my username and passwords.”
“I never remember the PIN numbers, there are too many
things for me to remember. It is frustrating to have to remember
this useless information.
“It also bothers me when I have to go through more
additional security measures to access my things, or get locked
out of my own account because I forgot as I accidentally typed
in my password incorrectly.”
Participants also wonder why they would be targeted in a
cyberattack. The data showed that many interviewees did not feel
important enough for anyone to want to take their information,
nor did they know anyone who had ever been hacked.
Commenters also expressed the sentiment that safeguarding data
is someone else’s responsibility, leaving computer security up
to their bank, online store or someone with more experience.
Individuals also questioned how they could effectively protect
their data when large organizations frequently fall victim to cyberattacks.
The data provided evidence for three ways to ease security
fatigue and help users maintain secure online habits and
behavior. They are:
Limit the number of security decisions users need to make;
Make it simple for users to choose the right security
action; and
Design for consistent decision making whenever possible.
To obtain a clearer picture of computer security behavior, the
researchers will be interviewing additional computer users of
varying levels of responsibility, including cybersecurity
professionals; mid-level employees with responsibilities to
protect personally identifiable information in fields such as
health care, finance and education; and workers who use
computers but for whom security is not their primary responsibility.
Stanton and Theofanos suggest it will take a multidisciplinary
team of computer security experts, psychologists, sociologists
and anthropologists working together to improve computer
security issues, including behavior, to manage security fatigue.
Paper: B. Stanton, M.F. Theofanos, S.S. Prettyman, S. Furman.
Security Fatigue. IT Professional, Sept.-Oct. 2016. DOI: 10.1109/MITP.2016.84
-----------------------------------
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz |The nice thing about standards| Periwinkle
(408)356-8506 |is there are so many to choose| 16345
Englewood Ave
www.pwpconsult.com |from. - Andrew Tanenbaum | Los Gatos,
CA 95032
More information about the cryptography
mailing list