Combatting Security Fatigue and Apathy
Security fatigue leads to resignation, causing users to abandon efforts to protect themselves or their organizations.
A new NIST study found that for many users, managing logins and passwords has become too burdensome to do well. Some users respond by rationalizing ways to ignore the risks of bad password practices. They may tell themselves “I’m not important enough to be on the receiving end of a targeted attack.”
Sound familiar? However, such self-dialogue is false comfort. Anyone could be hit by an automated financial cybercrime, a ransomeware attack, or just become the weak link in an attack on their company.
Such apathy is frustrating to security professionals. We know how to take advantage of tools like long but memorable passphrases, password manager tools, and free one-time-password (OTP) options available at many sites. Password hygiene is like brushing our teeth. None of us like to floss, but we like root canals even less.
Logic, however, doesn’t change the fact that many users will succumb to apathy – the easy way out. The industry has to make authentication easier through the biometric, native mobile app OTP, and other patterns that provide easy authentication and combine with short PINs, lockouts, and other simple mechanisms to step up to stronger authentication when required.
The study further suggests that: “The data provided evidence for three ways to ease security fatigue and help users maintain secure online habits and behavior. They are:
- Limit the number of security decisions users need to make;
- Make it simple for users to choose the right security action; and
- Design for consistent decision making whenever possible.”
As a security consultant, I’ve learned to try to communicate in business terms wherever possible, and to advise my clients to do the same with their internal customers. Make it easy for your internal or external customer to do the right thing, or to consume your security mechanism or process as the path of least resistance.
As a fellow security professional, don’t you think the study’s advice applies not just to passwords, but to everything we do?