We live in the age of the 24-hour news cycle. Each day, whether it’s from TV news, phone notifications, online browsing, social media, or even the good old fashioned paper, we hear stories of the increasing dangers of cybercrime.
Feeling overwhelmed yet? You’re not alone. A 2017 study published by the National Institute of Standards in Technology (NIST) says that “security fatigue” is a real phenomenon affecting 63 percent of its participants. So what, exactly, is security fatigue? And why is it a dangerous, though understandable, phenomenon?
What is security fatigue?Over and over again, people are bombarded with articles about criminals lurking on the Internet, security breaches in businesses and government, and the need to be constantly vigilant online. Our Malwarebytes researchers are asked by the press to comment on their discoveries of new forms of malware or the latest security breach on a daily basis. And while the media are reporting on legitimate dangers, their fever pitch can leave readers and viewers frozen in a combined state of panic and helplessness.
Users are encouraged to update passwords constantly, run antivirus programs, participate in two-factor authentication, read unwieldly EULAs carefully—often without a clear understanding of why. According to the NIST report:
“People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.”
The volume of messaging, combined with an unclear understanding of how to move forward, is what leads to security fatigue, which NIST researchers define as “a threshold at which it simply becomes too hard or burdensome for users to maintain security.” In plain English, people are hearing so much about cybersecurity now that they’re becoming desensitized to the dangers.
“I think I am desensitized to it—I know bad things can happen. You get this warning that some virus is going to attack your computer, and you get a bunch of emails that say don’t open any emails, blah, blah, blah. I think I don’t pay any attention to those things anymore because it’s in the past.” –Participant 101
What happens when you’ve got security fatigue?Security fatigue manifests itself in much the same way as what psychologists call decision fatigue. People reach a limit with how much information they can process, leaving them weary and unable to make a rational decision moving forward. Security fatigue impacts decision-making in the following ways. People might:
- Avoid unnecessary decisions
- Choose the easiest available option
- Make decisions driven by immediate motivations
- Choose to use a simplified algorithm
- Behave impulsively
- Feel resignation and a loss of control
“If you give me too many more blocks, I am going to be turned off. My [X] site, first it gives me a login, then it gives me a site key I have to recognize, and then it gives me a password. So that is enough, don’t ask me anything else.” –Participant 109In addition, psychologists Amos Tversky and Daniel Kahneman, who are cited in the NIST report, argue that when people are fatigued, they fall back on behavioral and cognitive biases when making decisions. This means that they might believe:
- They’re not personally at risk (they have nothing of value that a criminal would want).
- Someone else is responsible for security, and if targeted, they will be protected.
- No security measure that they put in place will really make a difference.
We get it, but don’t give upWhile this might seem like irrational behavior, psychologically, it makes perfect sense. Users are conducting a cost-benefit analysis and, when presented with complex security advice that promises little and expects a lot, they decide it’s not worth their time.
Case in point: You’re trying to transfer some money between bank accounts and can’t remember the password. Then you have to reset the password, but you can’t remember the password to access the email you signed up to the account with. So you reset THAT password. You finally sign into your bank account and discover you need to set up two-factor authentication—so you wait for the text to come through on your phone, only to discover its battery is dead and you need to charge it. Meanwhile, your antivirus is running a scan and has found a piece of malware on your machine, which means you’ll need to close out of your online account and restart your computer. It’s enough to infuriate the most Zen Buddhist.
But! But…it’s problematic to turn your back on cybersecurity entirely. Clearly doing nothing will not make cybercrime go away. If crime rates are rising in your neighborhood, would you stop locking your door because you’re overwhelmed? Doubt it. But locking your door is a simple solution that can ward off a good portion of attacks. Adding a security system would double the protection. Again, fairly simple to install.
So what are some simple ways you can stay protected online without feeling exhausted?
Four simple stepsThere are four easy and effective steps you can take to ward off 90 percent of the crap out there while also maintaining your sanity. Without further ado:
- Get a password manager.
- Use an ad blocker.
- Keep your devices and software updated.
- Check before you click.
And, finally, if you want to breathe a little easier and invest in a security system, consider a cybersecurity program (boot your old antivirus out the door) that uses multiple layers of technology to catch the latest threats. Let it run in the background full-time so you’re always protected.
Nothing is foolproof. But doing a little something is a heck of a lot better than doing absolutely nothing. Don’t let security fatigue get the better of you.