People get regularly bombarded with news of massive data breaches and tips for how to stay safe online. They can read content about how to create complex passwords, understanding the signs of a phishing attack and how to turn on two-factor authentication (2FA) for their devices. But at a certain point, research shows that people stop caring.
At the point that someone stops caring, they're dealing with security fatigue. Often, it arises from being presented with more tech security decisions than they can handle. As such, decision fatigue — which causes people to feel overwhelmed by an abundance of choice — turns into security fatigue.
A Common Issue
When conducting a study about users' online experiences, one research team did not initially seek to study security fatigue. However, while interviewing people, the scientists noticed a prevalent theme of weariness when those individuals talked about being online. More than half of them mentioned symptoms consistent with security fatigue, like feeling resigned and having a loss of control over security.
The study concluded that average computer users felt swamped by having to remember dozens of passwords or always being on alert for possible security issues. They believed computer security was someone else's responsibility and did not want to take ownership of it.
A Range of Frustrations Expressed
Many people discussed getting fed up with having to remember things like passwords and PINs. They also became upset by having to go through additional security measures after forgetting crucial pieces of information.
However — perhaps surprisingly considering the frequency of cyberattacks and the way they often capture the headlines — people often admitted to feeling like going through security measures was a waste of time. They didn't think they were important enough to get targeted by hackers and didn't know anyone who had been hacked.
Researchers Study What Helps People Remember Passwords
Have you ever wondered why it's so easy to remember some passwords while others seem to disappear from your mind soon after you type them in? Another research team, this one based at Rutgers University, took a close look at why people forget passwords. It found that a couple of the factors with an impact are the password's importance and how often a person uses it.
Moreover, the full-text study determined that secure passwords, such as those with the recommended combination of letters, numbers and special characters that aren't dictionary words, are harder to remember than ones made of familiar words that don't take as much time to type. Perhaps that's why so many people like to choose passwords of a pet's name or a favorite sports team.
The paper also showed that as people use a particular password more frequently or for a longer length of time, their recall ability goes up.
Install a Password Manager
Passwords are not the only things that cause people to go through security fatigue, but they're significant parts of why it happens. Using a password manager can relieve people from security fatigue to some extent, but only if they commit to creating unique passwords for every site they visit.
Since internet users commonly reuse passwords, choosing a new one for each site likely requires a behavior change. Creating a dedicated password for each internet destination ensures that if a hacker gets into one, they'll only have access on that site instead of on several. With a password manager in place, a person has to remember only one master password despite setting up unique ones for all the sites they visit.
Deploy Automatic Updates at the Organizational Level
Many people run so many apps that they receive update alerts almost every time they log onto their computers or use their phones. They often think the updates are just for new features they don't really need or want, but the updates may be for security patches that protect users from known vulnerabilities. That's why the IT departments at many businesses automatically and simultaneously update computers on the network. They may push those updates through at night so that workers don't even know they happened. That way, people don't have to decide whether to update their systems.
Help People Recognize Their Roles
If individuals think it doesn't do any good to follow best practices for internet security, they won't. Organizations can fight back against security fatigue by providing real-world examples of how anyone can stop hacks from happening by developing better habits. Incorporating that lesson into ongoing cybersecurity training can encourage people to care.
Make Security an Applicable Concern
Remember that security fatigue happens when people feel like they have to work too hard to stay safe online or like efforts made are ultimately useless. The tips suggested here could help companies show employees that internet security applies to each individual and doesn't have to be a hassle.
Kayla Matthews tech journalist & writer
