How to fight security fatigue

How to fight security fatigue

We live in the age of the 24-hour news cycle. Each day, whether it’s from TV news, phone notifications, online browsing, social media, or even the good old fashioned paper, we hear stories of the increasing dangers of cybercrime.

Cyberthreats are growing more serious!

Russian is actively preparing for cyberwar!

Experts say tech support scams are picking up!

Feeling overwhelmed yet? You’re not alone. A 2017 study published by the National Institute of Standards in Technology (NIST) says that “security fatigue” is a real phenomenon affecting 63 percent of its participants. So what, exactly, is security fatigue? And why is it a dangerous, though understandable, phenomenon?

What is security fatigue?

Over and over again, people are bombarded with articles about criminals lurking on the Internet, security breaches in businesses and government, and the need to be constantly vigilant online. Our Malwarebytes researchers are asked by the press to comment on their discoveries of new forms of malware or the latest security breach on a daily basis. And while the media are reporting on legitimate dangers, their fever pitch can leave readers and viewers frozen in a combined state of panic and helplessness.

Users are encouraged to update passwords constantly, run antivirus programs, participate in two-factor authentication, read unwieldly EULAs carefully—often without a clear understanding of why. According to the NIST report:

“People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.”

The volume of messaging, combined with an unclear understanding of how to move forward, is what leads to security fatigue, which NIST researchers define as “a threshold at which it simply becomes too hard or burdensome for users to maintain security.” In plain English, people are hearing so much about cybersecurity now that they’re becoming desensitized to the dangers.

“I think I am desensitized to it—I know bad things can happen. You get this warning that some virus is going to attack your computer, and you get a bunch of emails that say don’t open any emails, blah, blah, blah. I think I don’t pay any attention to those things anymore because it’s in the past.”  –Participant 101

What happens when you’ve got security fatigue?

Security fatigue manifests itself in much the same way as what psychologists call decision fatigue. People reach a limit with how much information they can process, leaving them weary and unable to make a rational decision moving forward. Security fatigue impacts decision-making in the following ways. People might:

  • Avoid unnecessary decisions
  • Choose the easiest available option
  • Make decisions driven by immediate motivations
  • Choose to use a simplified algorithm
  • Behave impulsively
  • Feel resignation and a loss of control

After the 10,000th story reminding you not to go to shady websites, or to be aware of malicious advertising on good websites, or warnings about what is fake news and what is real, people with security fatigue will stick their head in the sand, cover their ears, and yell, “La la la! Don’t tell me anything else!” But it goes even deeper than that. When people are online and experience too many barriers to getting where they want, they experience frustration that shuts them down.

“If you give me too many more blocks, I am going to be turned off. My [X] site, first it gives me a login, then it gives me a site key I have to recognize, and then it gives me a password. So that is enough, don’t ask me anything else.” –Participant 109

In addition, psychologists Amos Tversky and Daniel Kahneman, who are cited in the NIST report, argue that when people are fatigued, they fall back on behavioral and cognitive biases when making decisions. This means that they might believe:

  • They’re not personally at risk (they have nothing of value that a criminal would want).
  • Someone else is responsible for security, and if targeted, they will be protected.
  • No security measure that they put in place will really make a difference.

So now, not only are people tired and frustrated, they’re also feeling fatalistic—nothing they do will matter anyway, so they may as well not make an effort.

We get it, but don’t give up

While this might seem like irrational behavior, psychologically, it makes perfect sense. Users are conducting a cost-benefit analysis and, when presented with complex security advice that promises little and expects a lot, they decide it’s not worth their time.

Case in point: You’re trying to transfer some money between bank accounts and can’t remember the password. Then you have to reset the password, but you can’t remember the password to access the email you signed up to the account with. So you reset THAT password. You finally sign into your bank account and discover you need to set up two-factor authentication—so you wait for the text to come through on your phone, only to discover its battery is dead and you need to charge it. Meanwhile, your antivirus is running a scan and has found a piece of malware on your machine, which means you’ll need to close out of your online account and restart your computer. It’s enough to infuriate the most Zen Buddhist.

But! But…it’s problematic to turn your back on cybersecurity entirely. Clearly doing nothing will not make cybercrime go away. If crime rates are rising in your neighborhood, would you stop locking your door because you’re overwhelmed? Doubt it. But locking your door is a simple solution that can ward off a good portion of attacks. Adding a security system would double the protection. Again, fairly simple to install.

So what are some simple ways you can stay protected online without feeling exhausted?

Four simple steps

There are four easy and effective steps you can take to ward off 90 percent of the crap out there while also maintaining your sanity. Without further ado:

  1. Get a password manager.

On average, people are asked to remember 27 separate passwords, according to a BBC report. You’re not supposed to write them down, and you’re likely prompted to change them every few months for maximum security. Yeah. It’s getting out of control. Simplify your life by using a password manager like 1Password. It’ll load all your passwords into one encrypted place with only a single master password to remember.

  1. Use an ad blocker.

Ad blocking provides a vital security layer that not only severs a potential attack method for online malvertising attacks, but also blocks privacy-invading tracking plugins from collecting and harvesting your personal information. In addition, blocking online ads and trackers conserves bandwidth and battery life, boosts website response times, and generally improves the overall user experience. No brainer! Check out our post on how to block ads like a pro to see which ad blockers might be best for you and your browsing experience.

  1. Keep your devices and software updated.

This one might be annoying, but at least you don’t have to remember to update on your own. Your devices and software will ping you when there’s a new update to run. As soon as you see that notification, go ahead and run the update. Or, you can also set updates to run automatically. For five minutes of inconvenience, you get a whole lot of peace of mind.

  1. Check before you click.

Does it look suspicious? It probably is. This applies everywhere online, but is especially important for emails. Don’t open email attachments or click on links asking for personal data unless you’re 100 percent sure of who the sender is. Hover over the sender address if you need to confirm. And if you’re still unsure, go ahead and Google the company name and see what comes up.

And, finally, if you want to breathe a little easier and invest in a security system, consider a cybersecurity program (boot your old antivirus out the door) that uses multiple layers of technology to catch the latest threats. Let it run in the background full-time so you’re always protected.

Nothing is foolproof. But doing a little something is a heck of a lot better than doing absolutely nothing. Don’t let security fatigue get the better of you.


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Writer, editor, and author specializing in security and tech. Content guru. Lover of meatballs.