The difference is that previously, humans were considered the weakest link due to lack of awareness or urgency, or lack of controls. In comparison to today’s standards, they are now overwhelmed with the number of passwords they must maintain, weary of complex security policies and training, and tired of just jumping through security hoops in general. The problem is that users will now find ways to either take the easiest road or circumvent security altogether, exposing them to greater risk.
The NIST provided some recommendations for easing this burden:
- Limit the number of security decisions users need to make
- Make it simple for users to choose the right security action
- Design for consistent decision making whenever possible
Unfortunately, the buck doesn’t stop there. What’s even more alarming is that security fatigue has also extended to security professionals, albeit for other reasons. Studies have shown that of those who admitted to it, “10% of security professionals have quietly paid ransomware demands, and that 35% have admitted to circumventing, disabling, or otherwise bypassing their organization's security” (Vigliarolo, 2017). Security professionals are spending most of their time reacting to the constant demands resulting from the controls they have put in place, such as system notifications.
TechRepublic lists some things security professionals can do to reduce redundant tasks:
- Minimize security fatigue by using a single sign-on system like Okta, Shibboleth, or OneLogin
- Do a better job of filtering security alerts and notifications to your IT team
- Create an extra level of administrative privileges that lives between regular users and true admins
- Hold your team accountable when something happens
I can’t say I haven’t experienced security fatigue myself on both ends, though I fully understand the importance of security. I feel the answer is to implement more automated and fool-proof solutions, such as biometrics for authentication.
References
Brown, E. A. (2016, October 19). 'Security Fatigue' Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study Suggests. Retrieved May 20, 2017, from https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly
Vigliarolo | May 9, 2017, 10:27 AM PST, B. (2017, May 09). Study finds cybersecurity pros are hiding breaches, bypassing protocols, and paying ransoms. Retrieved May 20, 2017, from http://www.techrepublic.com/article/study-finds-cybersecurity-pros-are-hiding-breaches-bypassing-protocols-and-paying-ransoms/