Computer Users Offer a Word about Cybersecurity: Enough
As DHS' cyber aware month winds down, people report security fatigue.
Some report feeling afflicted by security fatigue, which can cause computer users to feel hopeless and act recklessly, according to a study from the National Institute for Standards and Technology (NIST). The study defines security fatigue as a weariness or reluctance to deal with computer security. “I don’t pay any attention to those things anymore,” reported one research participant. “People get weary from being bombarded by, ‘Watch out for this or watch out for that.’”
“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” writes study co-author Brian Stanton, who also is a cognitive psychologist. “It is critical because so many people bank online, and since health care and other valuable information is being moved to the Internet.”
NIST computer scientist Mary Theofanos and colleagues interviewed computer users from a variety of backgrounds and learned they felt overwhelmed and bombarded by online security. To reduce security fatigue, NIST offers recommendations such as limiting the number of security decisions users need to make; making it simple for users to choose the right security action; and designing systems so that users can make consistent decisions whenever possible.
Participants reported they wonder why they might be targets of cyber attacks, indicating they did not feel "important enough" for anyone to steal their information, the report states.
The Department of Homeland Security (DHS) launched National Cyber Security Awareness Month (NCSAM) 13 years ago, promoting a month-long campaign to “ensure every American has the resources they need to stay safer and more secure online.”
It seemed enough at the time, but cyber vulnerabilities have rapidly, and with a high degree of sophistication, morphed many times over in recent history, posing serious tangible risks to national security. “The idea that you can take an hour-long, online course once a year and somehow that is going to get you all you need to know from a cyber hygiene perspective presents false thinking,” says Richard Spires, former chief information officer at the DHS and Internal Revenue Service and current CEO of Learning Tree International.
More and more companies and organizations are moving to models where reminders to practice good cyber hygiene are presented on a regular basis, in short message-for-the-day segments, he says. That approach is not enough, however, Spires advises. “People make mistakes. To think that somehow, we are going to educate ourselves out of this problem, is also not right.”
Additionally, a greater number of those companies and organizations comprehensively address cybersecurity as a true risk management problem, he offers. “Many organizations have not really done that in the past. The not so good news, however, is that there is such a dearth of talent to address these issues,” says Spires, citing recent figures that put the worldwide shortage of cybersecurity expertise at 2 million. “It really is difficult to build a team these days.”
Cybersecurity must be more of a complete puzzle approach, including education in addition to the recommended functions of identify, protect, detect, respond and recover outlined in NIST’s Cybersecurity Framework that has been widely adopted by government and industry. The framework has been adopted by roughly 30 percent of U.S. organizations and is that’s expected to rise to 50 percent by 2020, according to the research firm Gartner. “That’s heartening to read,” says Spires, a proponent of the framework.
“It doesn’t necessarily solve the problem of a shortage of workers, but at least it starts to get to the issue: What do we need?” he continues. “Based on that, you can start looking at training and development and capabilities to essentially bring your workforce along, recruit where you need to to develop a strong cybersecurity workforce.”