It would seem that 'security fatigue' – a weariness about getting bombarded with security warnings, or being bothered to maintain multiple strong passwords, leading to careless behaviour online – is affecting the majority of the computing public in the US.
A new study focusing on cybersecurity and online privacy from the National Institute of Standards and Technology (NIST) found that the 'majority' of 'typical computer users' who were interviewed experienced what the organisation labelled as security fatigue.
Research took in a wide range of American citizens aged from 20-something up to the over 60s, and even though the interviews conducted weren't directly intended to study any element of fatigue, over half of those questioned expressed feelings of fatigue in their responses.
This weariness to deal with keeping things secure in the digital world stems from a number of factors, one of which is constant warnings about online threats. As one respondent told the NIST: "I don't pay any attention to those things anymore … People get weary from being bombarded by 'watch out for this or watch out for that.'"
Users were also fed up with trying to understand the ins-and-outs of adopting safe behaviour online, and maintaining multiple passwords which are secure – both at home and at work.
Another respondent simply said: "I get tired of remembering my username and passwords."
One of the co-authors of the study, Mary Theofanos, further commented: "Years ago, you had one password to keep up with at work. Now people are being asked to remember 25 or 30. We haven't really thought about cybersecurity expanding and what it has done to people."
The upshot of this accumulation of concerns to bear in mind and logins to remember is a "sense of resignation, loss of control, fatalism … and decision avoidance", which often leads to impulsive behaviour, disregard of any security rules, and just generally choosing the easiest option (such as using the same password for multiple accounts, or having laughably simple passwords; or indeed both).
When it came to taking responsibility for protecting their data online, there was also a sense of 'why bother' from participants, because they believed that with large companies falling prey to data breaches regularly, their details will end up leaked anyway.
It's a pretty gloomy picture, but the NIST does have suggestions regarding how to improve things: firstly, by limiting the number of security decisions any given user has to make, and then most importantly, it must be made "simple for users to choose the right security action".
Or as Theofanos puts it: "Make it hard to do a wrong thing." Or at least harder…