[BreachExchange] How 'Security Fatigue' Affects Our Choices Online

Tue Oct 11 19:38:38 EDT 2016

http://www.eweek.com/security/how-security-fatigue-affects-
our-choices-online.html

An overabundance of security news and alerts has led to "security fatigue,"
which is causing users to make bad choices when it comes to online
security, suggests a reportfrom the National Institute of Standards and
Technology (NIST).

Although the report just came out Oct. 4, the data collection for the study
took place from January to March 2011 and included 40 interviews with
participants, including men and women from the Washington, D.C.,
metropolitan area and central Pennsylvania. The report is one of many that
are likely to debut this month, which has been dubbed National
Cyber-Security Awareness Month (NCSAM).

"We were completely surprised by the findings," report co-author and NIST
computer scientist Mary Theofanos said in a video discussing the results.
"We found this underlying theme of fatigue and weariness, which came with
dread and resignation."

Theofanos explained that the more decisions an individual makes in the
course of the day, the harder it is to make decisions. When individuals get
tired of making decisions, their brains go into another mode to either
avoid decisions or fall back on existing habits, she said.

This so-called security fatigue phenomena is a key reason users are reusing
passwords and perhaps not taking all the right measures to stay safe online.

The idea of security fatigue is not surprising to me, and it's a challenge
that I grapple with every day as the volume of data breaches and security
exploits seems to be never-ending.With so much bad news, it's almost
understandable why some people might just resign themselves to the fact
that online security is out of reach.

A defeatist attitude, however, is not the right answer. It's just a symptom
of security fatigue. People reuse passwords not because they want to get
hacked but because it's easier to remember a password they already use. The
internet and technology, in general, are adopted by consumers not because
it is hard to consume, but rather because it is easy and useful.

NIST has three primary suggestions to help reduce security fatigue:

Limit the number of security decisions users need to make;
Make it simple for users to choose the right security action; and
Design for consistent decision making whenever possible.

All of those suggestions are clearly valuable, as they place the onus of
responsibility on application developers and vendors to enable users to
make the right choices. Although that's helpful, it can also potentially
remove users from elements of the security decision-making process.

Back in 2014, Alex Stamos, Yahoo's chief information security officer at
the time, told attendees at the Black Hat USA conference that to keep users
secure, big vendors like Yahoo needed to take a "security paternalistic"
approach in which the vendor knows how to protect users.

Stamos left Yahoo in 2015, and this past week, we learned that his
departure may have been tied to an effort from Yahoo to scan user emails at
the request of the National Security Agency.

As such, can or should users really trust big vendors and service providers
to know and do what's best?

It's not an easy question to answer. The simple fact, though, is that
application developers and internet sites like Yahoo have more resources
and expertise than any one individual user is likely to have. As NIST
suggests, there are steps that vendors can take to reduce security fatigue,
but users for their own safety still must take some responsibility.

It is the right thing for developers to build applications that are secure
by design—that limit the risks of exploitation and enforce strong
authentication principles. User experience must not be considered a higher
priority than security, and vice versa.

Typically, my own smart-aleck response whenever someone talks to me about
fatigue is to tell them to simply sleep more and get some rest. In the
modern always-on world, the constant need to be connected and stay secure
doesn't allow for rest. But maybe, just maybe, if application developers
and vendors follow NIST's three suggestions, users will get the short
respite they need to avoid security fatigue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161011/c5a80040/attachment.html>