Cyber Fatigue: New NIST Study Reveals Consumers Feel Overwhelmed by Security Messages, Compliance

We’ve all heard the cybersecurity horror stories. In fact, we may have heard them too often.

According to a new study by National Institute of Standards and Technology (NIST), “security fatigue” is emerging as a widespread threat to effective cybersecurity programs. The report’s authors write, “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”

These findings have direct implications for businesses that are legally required to protect personal and financial data, including retailers, financial and healthcare businesses, law and other professional services firms.

Cybercrime gambits like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal’s dirty work. For this reason, cyber security experts recognize that the greatest vulnerability in most organizations comes from their own people.

Furthermore, employee-based exploits can raise unique litigation concerns. A breach where an employee has actively facilitated the cyber criminals’ entry into the employer’s IT system may be harder to defend in court than a breach based on purely technical vulnerabilities, a plaintiff will seek to attribute the employee’s negligence to his employer, which the law generally allows.

The findings from this new NIST research mean that limiting employee-based vulnerabilities may be more difficult than anticipated. Ironically, this is the case precisely because cyber vulnerabilities are receiving such a high level of attention. The NIST researchers found that the well-intended drumbeat of cyber security awareness has led to burnout and a sense of fatalism among ordinary people, including the employees that firms look to as their first line of cyber defense.

“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said study co-author Mary Theofanos. This weariness leads to resignation and a sense loss of control, which are major de-motivators for the behaviors needed for effective cybersecurity. Many users view cyber security as someone else’s responsibility, something they neither understand nor feel comfortable doing. The end result of cyber fatigue is users acting in a less secure manner.

For example, the study’s participants said:

• “I think I am desensitized to it—I know bad things can happen. You get this warning that some virus is going to attack your computer, and you get a bunch of emails that say don’t open any emails, blah, blah, blah. I think I don’t pay any attention to those things anymore because it’s in the past. People get weary of being bombarded by ‘watch out for this or watch out for that.’”
• “I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.”
• “Security seems to be a bit cumbersome, and just something else to have to keep up with.”
• “It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.”
• This research may help explain the persistent failure of individuals across organizations to update passwords, to avoid easily guessed passwords, to stop using a single password for multiple accounts, and to never click on links in suspect emails. It may not be that people don’t know better. They may just be burned out by unfocused and unmodulated communication about their cyber security duties.
• For the study, NIST researchers interviewed US computer users ages 20-60 from all areas of the country and work in a variety of careers. Follow up studies of employees with specific data protection responsibilities are planned.
• The study points up the fact that effective employee cyber security awareness programs must overcome apathy, motivate changed behavior, and generate clarity out of a barrage of confusing messages.  Simply relying on written policies and regular exhortations from IT professionals may not work. In fact, such an approach may exacerbate cyber fatigue and drive cyber risk higher. Training and HR experts – have expertise in motivating and changing employee behavior. These human factor experts are emerging as the newest partners in the cyber risk response process. Their specific skills are key to creating employee engagement and molding an organizational culture of cyber safety vigilance. Unless human factor experts have a prominent seat at the table, employee-based cyber defense plans may be doomed to ineffectiveness from the start. .  
• In addition, organizations may need to consider the sophistication of their cyber awareness programs in light of their employee disciple policies. Certain data protection schemes, such as those enforced under the HIPAA Privacy Rule, require appropriate employee discipline where data security policies are not followed and breaches result.  In such a context, employers have a heightened duty to ensure that their training programs and organization culture have real-world effectiveness in supporting compliance with their mandated cyber security policies. To do otherwise is to create a system where good employees are punished for the organization’s training and cultural failures.
• To respond to cyber fatigue, the NIST researchers offer three specific suggestions:

1. Limit the number of security decisions users need to make;
2. Make it simple for users to choose the right security action; and
3. Design for consistent decision making whenever possible.

For businesses with serious data protection obligations, including the law firms and other professional firms, the research underscores the fact that cyber security systems must account for human factors in cyber security safety. Simplicity of systems, training that creates a sense of competency and control, and monitoring that catches and prevents poor practices can be useful ways to ensure that cyber weariness in society does not lead to cyber sloppiness on the job.  In the current context, the costs of ignoring the human factors are just too great.

"Belton Zeigler brings more than 30 years of experience in industrial and infrastructure matters to Womble Carlyle’s Privacy and Data Protection Team efforts. He practices in the firm’s Columbia, S.C. office."