If you follow my articles, you have likely noticed my continuous theme of human error and security. Most cybersecurity incidents can in some way, shape, or form be traced back to human mistakes. While there are many reasons for this, it is the opinion of some InfoSec professionals that security is in some ways to blame. The methods that cybersecurity experts use to keep users safe from hackers are, as at least asserted by the National Institute of Standards and Technology, may be creating "security fatigue."
In a recent report, NIST researchers published the results of their study on security fatigue, which they define as "the affective manifestations resulting from decision fatigue and the role it plays in users' security decisions." The main findings in the report are that many users are practicing improper security habits as a result of increasingly complicated protocols.
As the report’s co-author Mary Theofanos asserted, "We haven’t really thought about cybersecurity expanding and what it has done to people." This also applies to the IT world as, much like the general public, IT employees are feeling certain sluggishness with regard to cybersecurity protocols. As Piers Wilson of Huntsman Security told Infosecurity Magazine, "The average security analyst now has an ever-growing stream of warnings and alerts to triage, investigate, understand, and resolve... they will be working in a team that is the same size; or at least hasn't grown in line with the volume of threat information and false positives they are now dealing with.”
The proposed solutions by the NIST to help reduce security fatigue involves reducing user decisions, providing simpler paths to proper security choices, and "design for consistent decision making where possible." There is a legitimate balance that cybersecurity professionals have to create when establishing protocols to protect individual users or massive networks. I worry, however, that some part of "security fatigue" may just be laziness.
If individuals have trouble following basic security protocols, we may have a larger problem on our hands. Any penetration tester can tell you that through a little luck and a little social engineering how they compromised a system during an audit. These methods are not new, yet all the time we hear of new "major" hacking incidents involving such tactics. The NIST's suggestions should not be ignored, but to put all of the blame on InfoSec professionals for "security fatigue" is absurd.
Cybersecurity is a two-way street. It requires the security side to implement the most effective protocols, but it also requires the user to learn those protocols. This is a constant discussion that needs to be had within the cybersecurity community. Hopefully, the conversation will continue.
Photo credit: Shanghai killer whale