[Cryptography] Security Fatigue

[Bill Frantz]

Oops. Copy/paste error. I should have liked 
<https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly>. 
I didn't have any problem viewing the paper at this link. A text 
version of what I saw is:

‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless 
and Act Recklessly, New Study Suggests
October 04, 2016


After updating your password for the umpteenth time, have you 
resorted to using one you know you’ll remember because 
you’ve used it before? Have you ever given up on an online 
purchase because you just didn’t feel like creating a new account?

If you have done any of those things, it might be the result of 
“security fatigue.” It exposes online users to risk and 
costs businesses money in lost customers.

A new study from the National Institute of Standards and 
Technology (NIST) found that a majority of the typical computer 
users they interviewed experienced security fatigue that often 
leads users to risky computing behavior at work and in their 
personal lives.

Security fatigue is defined in the study as a weariness or 
reluctance to deal with computer security. As one of the 
study’s research subjects said about computer security, “I 
don’t pay any attention to those things anymore…People get 
weary from being bombarded by ‘watch out for this or watch out 
for that.’”

“The finding that the general public is suffering from 
security fatigue is important because it has implications in the 
workplace and in people’s everyday life,” cognitive 
psychologist and co-author Brian Stanton said. “It is critical 
because so many people bank online, and since health care and 
other valuable information is being moved to the internet.”

“If people can’t use security, they are not going to, and 
then we and our nation won’t be secure,” Stanton said.

The study, published this week in IEEE’s IT Professional, 
draws on data from a qualitative study on computer users’ 
perception and beliefs about cybersecurity and online privacy. 
The subjects ranged in age from their 20s to their 60s, hailed 
from urban, suburban and rural areas, and held a variety of jobs.

The interviews focused on the subjects’ work and home computer 
use, specifically about online activity, including shopping and 
banking, computer security, security terminology, and security 
icons and tools.

“We weren’t even looking for fatigue in our interviews, but 
we got this overwhelming feeling of weariness throughout all of 
the data,” computer scientist and co-author Mary Theofanos said.

“Years ago, you had one password to keep up with at work,” 
she said. “Now people are being asked to remember 25 or 30. We 
haven’t really thought about cybersecurity expanding and what 
it has done to people.”

The multidisciplinary team learned that the majority of their 
average computer users felt overwhelmed and bombarded, and they 
got tired of being on constant alert, adopting safe behavior, 
and trying to understand the nuances of online security issues.

When asked to make more computer security decisions than they 
are able to manage, they experience decision fatigue, which 
leads to security fatigue.

Researchers found that the result of weariness leads to feelings 
of resignation and loss of control. These reactions can lead to 
avoiding decisions, choosing the easiest option among 
alternatives, making decisions influenced by immediate 
motivations, behaving impulsively, and failing to follow 
security rules.

Comments among those who expressed feelings of security fatigue included:

     “I get tired of remembering my username and passwords.”
     “I never remember the PIN numbers, there are too many 
things for me to remember. It is frustrating to have to remember 
this useless information.
     “It also bothers me when I have to go through more 
additional security measures to access my things, or get locked 
out of my own account because I forgot as I accidentally typed 
in my password incorrectly.”

Participants also wonder why they would be targeted in a 
cyberattack. The data showed that many interviewees did not feel 
important enough for anyone to want to take their information, 
nor did they know anyone who had ever been hacked.

Commenters also expressed the sentiment that safeguarding data 
is someone else’s responsibility, leaving computer security up 
to their bank, online store or someone with more experience.

Individuals also questioned how they could effectively protect 
their data when large organizations frequently fall victim to cyberattacks.

The data provided evidence for three ways to ease security 
fatigue and help users maintain secure online habits and 
behavior. They are:

     Limit the number of security decisions users need to make;
     Make it simple for users to choose the right security 
action; and
     Design for consistent decision making whenever possible.

To obtain a clearer picture of computer security behavior, the 
researchers will be interviewing additional computer users of 
varying levels of responsibility, including cybersecurity 
professionals; mid-level employees with responsibilities to 
protect personally identifiable information in fields such as 
health care, finance and education; and workers who use 
computers but for whom security is not their primary responsibility.

Stanton and Theofanos suggest it will take a multidisciplinary 
team of computer security experts, psychologists, sociologists 
and anthropologists working together to improve computer 
security issues, including behavior, to manage security fatigue.

Paper: B. Stanton, M.F. Theofanos, S.S. Prettyman, S. Furman. 
Security Fatigue. IT Professional, Sept.-Oct. 2016. DOI: 10.1109/MITP.2016.84
-----------------------------------

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        |The nice thing about standards| Periwinkle
(408)356-8506      |is there are so many to choose| 16345 
Englewood Ave
www.pwpconsult.com |from.   - Andrew Tanenbaum    | Los Gatos, 
CA 95032