Privacy & Information Security Law Blog

A recent study from the National Institute of Standards and Technology (“NIST”) warns that an overabundance of computer security measures might actually lead users to engage in “risky computing behavior at work and in their personal lives.”

Researchers conducted qualitative interviews with respondents ranging in age from 20 to mid-60s and of various geographic and employment backgrounds, regarding their perception of and beliefs about cybersecurity and online privacy. Researchers found that many respondents were suffering from “security fatigue,” defined as “a weariness or reluctance to deal with computer security.” The feeling of being asked to make more computer security decisions than they were able to manage (e.g., remembering a different password for every website requiring user login) resulted in respondents engaging in higher-risk online behavior, including using the same password for multiple websites and choosing the easiest security option among alternatives. Researchers also found that, in some cases, security fatigue could cause a user to abandon online activity altogether, such as failing to complete an online purchase because he or she felt frustrated with the security measures for creating or accessing an online account.

The study also uncovered a sense of hopelessness among respondents with respect to how they could effectively protect their data given the perceived frequency with which large organizations suffer cyber attacks. Many respondents believed that responsibility for computer security and protecting user data should fall to the entity with which they interact online (e.g., a bank or online retailer).

In a press release, the NIST noted that security fatigue can expose Internet users and the networks they access to security risks and can result in lost customers for businesses. The researchers suggest three ways to alleviate security fatigue and ensure that users follow secure online practices, both in their professional and personal lives:

• limit the number of security decisions that users must make;
• simplify users’ ability to choose the right security action; and
• design for consistent decision making whenever possible.

Researchers intend to conduct additional interviews to further clarify computer security attitudes and behaviors.