Hack warnings prompt cyber ‘security fatigue

Relentless cybersecurity warnings have given people “security fatigue” that stops them from keeping themselves safe, suggests a study. Many ignored warnings they received, found the US National Institute of Standards and Technology (NIST).

Others were worn out by software updates and by the number of passwords they had to remember, NIST found. This “risky behavior” might make people more susceptible to attack, it warned. The inevitable attack “We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said computer scientist Mary Theofanos, one of the experts who co-ordinated the study.

Responses from subjects revealed that many felt “overwhelmed” by having to be alert for digital threats at all times, remembering to act safely online and by the different security and privacy policies on the sites they used. Others were worn down by the number of passwords, Pins and other secure credentials they had to remember.

“Years ago, you had one password to keep up with at work,” said Ms. Theofanos. “Now people are being asked to remember 25 or 30.”

Many were frustrated by the extra security steps they had to go through to get at “their stuff” in online bank accounts or on other websites.

“We haven’t really thought about cybersecurity expanding and what it has done to people,” she added. On average, Britons have 22 separate passwords. In addition, they typically access at least four separate websites with the same credentials (Source: NCSC)

One million new malware variants are being created each day. One in 113 emails contains malware (Source: Symantec Security Insights report)
Details of login names and passwords for more than 1.5 billion accounts have been stolen and shared online (Source: Troy Hunt)

The NIST study involved in-depth interviews with a broad cross-section of Americans aged 20-60, who lived in rural and urban areas and were in high and low-paying jobs.

Responses from interviewees revealed that many were fatalistic about what they could do to avoid being attacked and many were resigned to being caught out at some point, said Ms. Theofanos.

Many questioned why they would be targeted by malicious hackers have given that they did not work for a sensitive government department or for a finance company. Few said they could name a friend or relative that had been hit by a hack attack.

Others asked how they could possibly be expected to stay safe when massive corporations that spent huge sums on security were regularly caught out. The NIST said it was planning a follow-up study with people who worked in the technology sector to gauge their feelings about security and to find out if they felt overwhelmed to the same degree.

The study said websites and online services needed to do a better job of coordinating how they approached security to lighten the load on users.

“If people can’t use security, they are not going to, and then we and our nation won’t be secure,” said report co-author Brian Stanton