Are you feeling worn out from the barrage of news you encounter each day about ransomware, malware, phishing, and other cyber security attacks? You're not alone! You may be one of the, oh…hundred million or so victims of a painful condition called security fatigue. What's that? Security fatigue is what happens when you feel overwhelmed with too much information about the threats your computers are facing and the steps you have to take to try and safeguard them. It's a weariness that comes upon you that makes you reluctant to learn the details of the latest attack and what you should do to protect yourself. This weariness and reluctance can often end up making you behave in risky ways with regard to your computing devices. It's like you throw up your hands and say, "What's the point? I may as well open this attachment 'cause I'm gonna get hacked anyways someday soon."
Security fatigue has become a big concern for organizations because the security of their information systems depends largely upon the behavior of their employees. That's because in our cloud-connected world a single phishing message can bring down the network of an entire organization. Because of this danger the National Institute of Standards and Technology (NIST) recently did some research on this painful condition and they reported that it was both poorly understood and widespread. Their recommended cure for the condition involves reducing the number of security decisions end users have to make and making it easier for them to consistently determine the right action to perform in each security-related situation. But is it really that simple?
Symptoms and causes of security fatigue
Let's get a bit more technical. What else might indicate the onset of security fatigue besides a general weariness and disgust of everything related to computer security? Some specific symptoms of security fatigue can include clicking on a link in an email even if you're not absolutely sure that it's safe to do so; plugging in a flash drive you were given by a friend even if you're not sure that the antivirus software is up to date on your machine; agreeing to a UAC prompt on your Windows computer even though you're not entirely sure that software you downloaded came from a reputable site that is safe; not taking the time to thoroughly check out the reputation of a new site before you enter your personal information in the form to create a new account for the site; going ahead and using your laptop with the WiFi at the coffee shop even when you can't get your VPN connection to log on properly; and so on.
In short, risky behavior with your smartphone or laptop or other computing device is a sure sign of the onset of a bout of security fatigue. And the causes, as we've already discussed, are obvious: There are just too many dangers we face when we're online, so we block it all out of our minds and proceed anyway. Safe computing just requires too much effort nowadays. We need password managers because of all the different sites we log on to. We need VPNs to counter the threat of various WiFI attacks. We're constantly asked to play the expert whenever we have to install software, open emails, or log into cloud services. We're enveloped in a constant stream of news about cyber threats we're not educated enough to be able to estimate the risk about.
Treatment and prognosis
NIST's program of treatment sounds nice, but the steps involved in implementing it mostly fall upon those who develop software applications and cloud services. Can we expect rational behavior from them? Will they really take into account that building good, easy-to-use security into their products from the ground up will benefit their business in the long run? Looking at the marketplace today I'd say probably not as most companies are going for quick profits vs. building long-term gains.
What about the IT people in our organizations? Will it be advantageous to them to try to implement some of NIST's recommendations? They can try, but I doubt it will have much good effect. Those of us in IT are probably even more afflicted with the security fatigue ailment than the general public or those who we support in our organizations. I don't know one IT security expert that works in the real world that isn't stressed out most of the time. And yet Ving Rhames looks so relaxed when he's working with IT technologies for Tom Cruise in his “Mission Impossible” movies. If only that were the reality for those of us in IT!
The biggest problem, however, is that security fatigue isn't an isolated condition but is part of a larger cluster of ailments which we might call technology fatigue. People love to learn most of the time, but only when they want to do it, not when they have to do it. An obvious example of this is why so many people are still running Windows 7 today instead of upgrading their machines to Windows 10. They just don't want to have to learn how to use the new operating system. Even I who now have Windows 10 on all my computers still pull up Control Panel instead of the new Settings interface when I need to change some setting I'm familiar with from using a previous version of Windows.
Cloud apps and services have made this Don't Want to Learn syndrome even worse. And I'm not just talking about older people like myself. Even the young folks I've talked to are becoming fed up with having to learn the latest user interface changes for their favorite social media platform. One of my nephews, a young man in his early 20s, routinely goes into rant mode whenever Zuck & Co. changes how you do something on your Facebook page. Guess how millions of long-time Windows users are going to react as bits and pieces of Control Panel gradually disappear from Windows 10 over the next few releases.
The trend seems to be irreversible as far as technology in general is concerned. The days of fixed software you own are almost gone. How would you feel if the layout of windows and walls in the apartment you rented kept changing every few months? In short, the prognosis for technology fatigue in general -- and security fatigue in particular -- is not good. Unless a miracle cure is found, and found soon, the patient is in serious trouble.
Photo credit: Freerange Stock