Oh dear. It may very well be National Cybersecurity Awareness Month, but a new study suggests that many of the general public have thrown in the towel and given up. The detailed study, from the National Institute of Standards and Technology (NIST), suggests that the public is suffering from "security fatigue" and a feeling of helplessness when it comes to their online security:
"Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice."
Resignation, fatigue, dread, decision avoidance... these aren't good things. If users feel out-of-depth when it comes to securing themselves online they are either going to avoid making decisions or fall back on bad habits. Some of the statements given by the study's participants paint a concerning picture:
"Security seems to be a bit cumbersome, just something else to have and keep up with." "I think I am desensitized to it... People get weary of being bombarded by watch out for this, watch out for that." "...first it gives me a login, then it gives me a site key I have to recognize, then it gives me a passsword. So that is enough, don't ask me anything else." "I get tired of remembering my username and passwords." "I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information." "It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly."
When you read comments like that, it's understandable that some people are exhibiting signs of "security fatigue". But does security really have to be that much of a pain? NIST proposes a three point plan to ease security fatigue and help users improve their behaviour when it comes to online security:
- Limit the number of security decisions users need to make
- Make it simple for users to choose the right security action
- Design for consistent decision making whenever possible
As report co-author Mary Theofanos explains, instilling some good habits is essential. It safe behaviour becomes habitual, then when we feel swamped by the craziness of the online world we will at least fall back into habits that have been designed to protect us, rather than put us at greater risk. And it is important to take some of the tricky decisions away from the users. The goal should be for doing the right thing to be the easy choice, and it being much harder to do the wrong thing. And, of course, to help users recover when the wrong thing happens (as they surely still will sometimes!) We are all now in the lucky position to not only have powerful computers in the workplace and at home, but even carried in our pockets everywhere we go. Our increased interconnectivity might open us up to more opportunities for attack, but the technology we have alongside us can play a significant part in making things simpler and safer. Many of the respondents in the quotes given above, for instance, relay issues related to passwords, PINs and security measures to access accounts. Yes, the typical person does feel exhausted at the prospect of having to ensure that their passwords are not just unique, more than 20 characters long, and compiled of a gobbledygook random collection of letters, characters and numbers, let alone the challenge of remembering them. But that's where computers and smartphones come in. The most common question I am asked by members of the public is "I know I'm supposed to have lots of different, complex passwords... but how am I supposed to remember them?" Well, good news! You're not supposed to remember them. In fact, if you can remember them you're probably doing it wrong! Instead, invest in a decent password manager which will securely store your passwords for you and even generate properly random, complex passwords when you need to create a new account online. Password management software can be used to not just remember your login passwords, but also your PIN numbers and the answers to those impossible questions your bank sometimes asks about your mother's French teacher's maiden name. If we take the time to explain, and demonstrate the benefits that secure practices can bring, then we can increase the chances of regular non-technical members of the public embracing online safety. After all, when designed and implemented properly, the whole point about security solutions should be to reduce stress and fatigue. What are the tips you give your non-technical friends and family members for staying safe online? How do you think those of us in the industry should change our ways to help the general public? Leave a comment below with your thoughts. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc
