How to fight security fatigue

By Wendy Zamora

We live in the age of the 24-hour news cycle. Each day, whether it’s from TV news, phone notifications, online browsing, social media, or even the good old fashioned paper, we hear stories of the increasing dangers of cybercrime.

Cyberthreats are growing more serious!

Russian hacker starts his own ransomware service!

Experts say tech support scams are picking up!

Feeling overwhelmed yet? You’re not alone. A recent study published by the National Institute of Standards in Technology (NIST) says that “security fatigue” is a real phenomenon affecting 63 percent of its participants. So what, exactly, is security fatigue? And why is it a dangerous, though understandable, phenomenon?

What is security fatigue?

Over and over again, people are bombarded with articles about criminals lurking on the Internet, security breaches in businesses and government, and the need to be constantly vigilant online. Our Malwarebytes researchers are asked by the press to comment on their discoveries of new forms of malware or the latest security breach on a nearly daily basis. And while the media are reporting on legitimate dangers, their fever pitch can leave readers and viewers frozen in a combined state of panic and helplessness.

Users are encouraged to update passwords constantly, run antivirus programs, participate in two-factor authentication, read unwieldly EULAs carefully—often without a clear understanding of why. According to the NIST report:

“People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.”

The volume of messaging, combined with an unclear understanding of how to move forward, is what leads to security fatigue, which NIST researchers define as “a threshold at which it simply becomes too hard or burdensome for users to maintain security.” In plain English, people are hearing so much about cybersecurity now that they’re becoming desensitized to the dangers and cybersecurity best practices.

“I think I am desensitized to it—I know bad things can happen. You get this warning that some virus is going to attack your computer, and you get a bunch of emails that say don’t open any emails, blah, blah, blah. I think I don’t pay any attention to those things anymore because it’s in the past.” –Participant 101

What happens when you’ve got security fatigue?

Security fatigue manifests itself in much the same way as what psychologists call decision fatigue. People reach a limit with how much information they can process, leaving them weary and unable to make a rational decision moving forward. Security fatigue impacts decision-making in the following ways. People might:

  • avoid unnecessary decisions
  • choose the easiest available option
  • make decisions driven by immediate motivations
  • choose to use a simplified algorithm
  • behave impulsively
  • feel resignation and a loss of control

After the 10,000th story reminding you not to go to shady website, or to be aware of advertising on prestigious websites, or warnings about what is fake news and what’s real, people with security fatigue will stick their head in the sand, cover their ears, and yell, “La la la! Don’t tell me anything else!” But it goes even deeper than that. When people are online and experience too many barriers to getting where they want, they experience frustration that shuts them down.

“If you give me too many more blocks, I am going to be turned off. My [X] site, first it gives me a login, then it gives me a site key I have to recognize, and then it gives me a password. So that is enough, don’t ask me anything else.” –Participant 109

In addition, psychologists Amos Tversky and Daniel Kahneman, who are cited in the NIST report, argue that when people are fatigued, they fall back on behavioral and cognitive biases when making decisions. This means that they might believe:

  • They’re not personally at risk (they have nothing of value that a criminal would want).
  • Someone else is responsible for security, and if targeted, they will be protected.
  • No security measure that they put in place will really make a difference.

So now, not only are people tired and frustrated, they’re also feeling fatalistic—nothing they do will matter anyway, so they may as well not make an effort.

We get it, but don’t give up

While this might seem like irrational behavior, psychologically it makes perfect sense. Users are conducting a cost-benefit analysis and, when presented with complex security advice that promises little and expects a lot, they decide it’s not worth their time.

Case in point: You’re trying to transfer some money between bank accounts and can’t remember the password. Then you have to reset the password, but you can’t remember the password to access the email you signed up to the account with. So you reset THAT password. You finally sign into your bank account and discover you need to set up two-factor authentication—so you wait for the text to come through on your phone, only to discover it’s out of batteries and you need to charge it. Meanwhile, your antivirus is running a scan and has found a piece of malware on your machine, which means you’ll need to close out of your online account and restart your computer. It’s enough to infuriate the most Zen Buddhist.

But! But…it’s problematic to turn your back to cybersecurity best practices entirely. Clearly doing nothing will not make cybercrime go away. If crime rates are rising in your neighborhood, would you stop locking your door because you’re overwhelmed? Doubt it. But locking your door is a simple solution that can ward off a good portion of attacks. Adding a security system would double the protection. Again, fairly simple to install.

So what are some simple ways you can stay protected online without feeling exhausted?

Three simple steps

There are three easy and effective steps you can take to ward off 90 percent of the crap out there while also maintaining your sanity. Without further ado:

  1. Get a password manager.

On average, people are asked to remember 22 separate passwords, according to a BBC report. You’re not supposed to write them down, and you’re likely prompted to change them every few months for maximum security. Yeah. It’s getting out of control. Simplify your life by using a password manager like 1Password. It’ll load all your passwords into one encrypted place with only a single master password to remember.

  1. Check before you click.

Does it look suspicious? It probably is. This applies everywhere online, but is especially important for emails. Don’t open email attachments or click on links asking for personal data unless you’re 100 percent sure of who the sender is. Hover over the sender address if you need to confirm. And if you’re still unsure, go ahead and Google the company name and see what comes up.

  1. Keep your devices and software updated.

This one might be annoying, but at least you don’t have to remember to update on your own. Your device and software will ping you when there’s a new update to run. As soon as you see that notification, go ahead and run the update. For five minutes of inconvenience, you get a whole lot of peace of mind.

And, finally, if you want to breathe a little easier and invest in a security system, consider a comprehensive next-gen antivirus program (boot your old antivirus out the door) that uses multiple layers of technology to catch all the latest threats. Let it run in the background full-time so you’re always protected.

Nothing is foolproof. But doing a little something is a heck of a lot better than doing absolutely nothing. Don’t let security fatigue get the better of you.

The post How to fight security fatigue appeared first on Malwarebytes Labs.

Source:: Malwarebytes