Security Fatigue Awareness Month


security_fatigue_awareness_month_gp3f7xOctober is “cybersecurity month” (National Cyber Security Awareness Month, aka NCSAM). In the effort to educate people about being afraid of things they really can’t control anyway, and are tired of hearing about, the federal government has a different theme every week for getting people in the, uh, spirit of the holiday.

The official Stay Safe Online site tells us,

Since its inception under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation. 2016 marks the 13th year of National Cyber Security Awareness Month.

They say they’re reaching “young people” too, but I’m not convinced.

If the Stay Safe Online site’s cringe-worthy load time doesn’t make you weep, the download-only ‘get involved’ promotional materials will only set off about 50 cybersecurity alarms for the moderately paranoid among us.

Thrillingly (not), the weekly themes for Cybersecurity Month include:

  1. STOP. THINK. CONNECT.: The Basic Steps to Online Safety and Security (The main campaign is the all-caps shouty “STOP. THINK. CONNECT.” — and apparently they’ve been using the same campaign for six years.)
  2. From the Break Room to the Boardroom: Creating a Culture of Cybersecurity in the Workplace
  3. Recognizing and Combating Cybercrime
  4. Our Continuously Connected Lives: What’s Your “Apptitude”?
  5. Building Resilience in Critical Systems

Maybe I’m being too harsh, but … after 13 years, it doesn’t seem to be catching on.

Within the first week, this exciting holiday was dealt a blow by new research from NIST. In a new paper called Security Fatigue, the government’s technical standards-setting body found that relentless cybersecurity education efforts may be counterproductive. That’s because ordinary people tune out when they feel overwhelmed by security advice. Which I think nearly everyone in infosec could’ve told them, as we’ve been fighting this uphill battle for most of our lives — that is, when we’re not feeling overwhelmed and helpless about it ourselves.

So, the term for what we’re all feeling about having to be worried about our privacy andpersonal information all the time is now called “security fatigue.”

NIST wrote,

Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore…People get weary from being bombarded by ‘watch out for this or watch out for that.’

(…) The study, published this week in IEEE’s IT Professional, draws on data from a qualitative study on computer users’ perception and beliefs about cybersecurity and online privacy. The subjects ranged in age from their 20s to their 60s, hailed from urban, suburban and rural areas, and held a variety of jobs.

(…) Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules. (…) Individuals also questioned how they could effectively protect their data when large organizations frequently fall victim to cyberattacks.

The study’s researchers say it’ll take “a multidisciplinary team of computer security experts, psychologists, sociologists and anthropologists working together to improve computer security issues, including behavior, to manage security fatigue.”

Anthropologists. Really?

Maybe it should be called Security Fatigue Awareness Month instead.

Violet Blue
Journalist, AuthoratEngadget, No Starch Press