Cyber Fatigue: New NIST Study Reveals Consumers Feel Overwhelmed by Security Messages, Compliance
Nov 14 2016
We’ve all heard the cybersecurity horror stories. In fact, we may have heard them too often.
According to a new study by National Institute of Standards and Technology (NIST), “security fatigue” is emerging as a widespread threat to effective cybersecurity programs. The report’s authors write, “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”
These findings have direct implications for businesses that are legally required to protect personal and financial data, including retailers, financial and healthcare businesses, law and other professional services firms.
Cybercrime gambits like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal’s dirty work. For this reason, cyber security experts recognize that the greatest vulnerability in most organizations comes from their own people.
Furthermore, employee-based exploits can raise unique litigation concerns. A breach where an employee has actively facilitated the cyber criminals’ entry into the employer’s IT system may be harder to defend in court than a breach based on purely technical vulnerabilities, a plaintiff will seek to attribute the employee’s negligence to his employer, which the law generally allows.
The findings from this new NIST research mean that limiting employee-based vulnerabilities may be more difficult than anticipated. Ironically, this is the case precisely because cyber vulnerabilities are receiving such a high level of attention. The NIST researchers found that the well-intended drumbeat of cyber security awareness has led to burnout and a sense of fatalism among ordinary people, including the employees that firms look to as their first line of cyber defense.
“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said study co-author Mary Theofanos. This weariness leads to resignation and a sense loss of control, which are major de-motivators for the behaviors needed for effective cybersecurity. Many users view cyber security as someone else’s responsibility, something they neither understand nor feel comfortable doing. The end result of cyber fatigue is users acting in a less secure manner.
For example, the study’s participants said:
For businesses with serious data protection obligations, including the law firms and other professional firms, the research underscores the fact that cyber security systems must account for human factors in cyber security safety. Simplicity of systems, training that creates a sense of competency and control, and monitoring that catches and prevents poor practices can be useful ways to ensure that cyber weariness in society does not lead to cyber sloppiness on the job. In the current context, the costs of ignoring the human factors are just too great.
"Belton Zeigler brings more than 30 years of experience in industrial and infrastructure matters to Womble Carlyle’s Privacy and Data Protection Team efforts. He practices in the firm’s Columbia, S.C. office."