What is Security Fatigue and what causes it?
Security Fatigue is the idea that the average internet user treats online security with complacency and considers any risks to themselves as quite low. This leads to a combination of feeling overwhelmed by, dismissive of, or desensitised to the various warnings of potential risks, the advice to constantly be vigilant, and the constantly changing recommended security measures to follow as ‘best practise’. The fatigue part basically symbolises throwing in the towel on cybersecurity, some of the contributing causes are:
Lack of resources: We constantly hear through email, news cycles and social media of big companies being breached or having data compromised so we think with a degree of acquiescence: ‘if a big organisation with huge resources can’t protect itself what chance do I have?‘
Increase in online accounts: As we discussed in Password Hygiene 101 the sheer volume of various usernames and passwords we need to memorise has increased dramatically. What tends to happen is we forget passwords and feel frustration when having to go through a password reset process which leads to Security Fatigue. What happens next is people fall back to using weak passwords and use the same one across multiple accounts increasing their exposure in the event of a compromise.
Lack of direct impact: Anyone who has ever had a car or house broken into has felt that uneasy feeling of knowing a stranger has been in their private space. Unfortunately, with the online world – we can’t always tell this has happened or is continuing to happen on our devices or systems of companies we engage with. In addition to this many people will think of themselves as insignificant and ‘it’s never happened to anyone I know and it will never happen to me’ type of thinking takes over.
Unawareness of responsibility: We tend to think the service we are using is responsible for all security protections. For example, when we log in to our online banking, we tend to think all responsibility for a secure interaction is up to the bank and their digital security team to create and maintain the banking portal, dismissing our own responsibility within the relationship. This is even worse to consider if you are the head of an organisation as many employees believe the IT team is a safety net for their risky use of company devices. Indeed, it’s not uncommon for people to avoid opening a suspicious email or file on a personal device, choosing to do it at work – just in case.
Overload of information: There is so much, often conflicting information about what to do, how to behave, what software to use and so forth with respect to online security leading to decision fatigue. Privacy Rightfully is actually hoping to become a central, trusted repository to overcome this issue in the years to come.
What are the signs of experiencing Security Fatigue?
Here are some of the signs you or someone you work with feels a degree of security fatigue. The potential consequences or results of these signs heightens the risk of becoming the low hanging fruit for bad actors:
- Avoid practising good password hygiene
- Not using antivirus and antimalware software
- Not using secure connections
- Not updating device software
- Not reporting suspicious activity
- Falling victim to phishing scams
- Dismiss warnings from your device regarding potential threats without investigating or scanning the file in question
What can I do to address this?
Flip your thinking on its head and apply the decision-making processes from the real world to the online world. If you download a new file and your computer warns “the file may have a virus” or similar warning to that effect – stop and apply it to a real-world situation. If you went on date with someone and they had a shirt that states “may contain an STI” would you take safety precautions before jumping into the bedroom? If your doctor ran a series of tests which indicated, you may have a serious illness – would you get further tests done to confirm or reject the initial warning?
The answer to those questions is obvious, however most people’s rationality changes when engaging with the online world compared to the real world. The birth of personal computers and the internet to follow always maintained an obvious gap between the ‘real’ world or offline world and the online world. However, so many of our jobs, accounts, interactions, communication and life in general has since moved to being more online based.
So much of our lives is moving to being online dominant and eventually online exclusive. Already we see online only businesses such as banks, insurance companies and some car brands; indeed, I’ve personally experienced being turned away from a bricks and mortar store because a product is ‘online only’. This wasn’t for anything obscure by the way – a toner cartridge for a mainstream printer and a somewhat basic tool from a large hardware retailer. Here’s our view articulated in table form (the timeline is an estimate as to when the ball really got rolling or a concept became mainstream, not the time something first occurred):
What does this have to do with Security Fatigue and what do you mean by blind trust happened?
When we say blind trust happened, we mean the general public began to trust the internet as a safer and more convenient place to manage their affairs through various online accounts, portals and business interaction options. We say it’s blind because the average person’s interpretations of online risks, threats and dangers never caught up to how they assess risks, threats and dangers in the real world (as per the date and doctor example earlier).
The online world is arguably moving toward becoming more dangerous than the offline world and it certainly knows more about you than those you’ve trusted with your deepest darkest secrets, such as your husband or wife. The problem is we don’t see, understand, or recognise online dangers the way we recognise dangers in the real world. When the average person sees a car driving precariously toward them they take action to reduce their risk by moving out of the way or running in a safe or opposite direction. In the online world – most people can’t see the car hurtling toward them or simply think it won’t hit them because they’ve never been hit before. There is a blind trust that we’ve given the online world that we wouldn’t dare apply to the real world, and this lack of respect to the growing negative similarities leads to Security Fatigue.
In summary the thinking of the average person experiencing Security Fatigue is something like this: ‘Big organisations can’t stop data breaches, the best strategies to defend against threats are always changing and it’s never happened to me or anyone I know, so why bother trying to keep up?’
The reason to keep up and respect online security is because the average person doesn’t. We always say ‘don’t be the low hanging fruit for bad actors’ – reduce your risk of being an easy target by removing yourself from the pool of internet users who are. Security Fatigue is like the third week of a diet – results are hard to see, you have to commit to a unenjoyable process, and you get the craving to indulge in what’s counterproductive to your goal. Losing weight and being secure online to protect your data and privacy require awareness and knowledge coupled with the willpower and determination to be true to your commitment. Be aware and recognise when it’s happening, Security Fatigue implies fait accompli to negative consequences when it doesn’t have to be. Yes, it’s hard, but like losing weight, it’s worth it.
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.