Security fatigue is real – we need usable security

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
A preliminary study involving 40 computer users of different ages, occupations, and living in different settings has shown what most of use already know to be true: security fatigue is a real thing.

uqn0mZi.jpg


Security fatigue – weariness from dealing with computer security as well as reluctance to do so – leads to risky computing behavior such as avoiding security decisions altogether and going with the easiest option, failure to follow security rules, and so on. It also carries with it a sense of dread and, ultimately, resignation.

The subjects were asked details about their home and work computer use, and about computer security, security terminology, security icons and tools.

Aside from an obvious disbelief in the idea that they could be important enough to be targeted in a cyberattack, the responses also showed an “overwhelming feeling of weariness”.

The respondents are tired of having to memorize usernames and passwords, PINs and security questions; of having to be constantly wary of possible dangers, of having to discern the subtleties of different online security issues, and of having to make (too many) smart decisions to keep themselves secure.

“The more decisions we make in the course of the day, the harder they become,” says computer scientist Mary Theofanos, who is one of the authors of the study. And once users reach the stage when they are simply too tired to make them, they either begin avoiding making a decision altogether, or fall back into (usually bad) habits.

Instilling good security habits into users is, of course, one of the solutions to this problem.

Others include organizations (banks, online retailers, and so on) making it simple for users to opt for the right security action, designing their offerings in a way that pushes users towards consistent decision making, and minimizing the number of security decisions users are asked to make.

In short, organizations should make it easy for users to do the right thing, make it hard to do the wrong thing, and help users to recover when the wrong thing happens, says Theofanos.

Full Article. https://www.helpnetsecurity.com/2016/10/06/security-fatigue-usable-security/
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Cool share Frog,
Security was a little intimidating for me back before I took the time to
ask questions, be patient and learn. I don't know about you guys but for me
I wanted to educate myself, investigate, and know what the hell I was doing.
But I have always been like that "inquisitive" and I think that's the kind of drive it takes
I know not all PC users are like me, so I can see where it would get overwhelming for
someone not so inclined, or interested. There's nothing wrong with that, to each their
own, and I am glad MT is here with doors wide open for the advanced, medium, and novice user alike.
It's the only site I frequent that can claim such a noble standing. U da man Jack :)
 
R

Rod McCarthy

Well this is the place to go, IF people want to learn, so many knowledgeable members here, willing to share...

BUT... Here is what I want....SOME Company to take the best of everything produced by others, put it into one software package, even if it's only a good signature AV, then add to that a cloud service, then a lite sandbox, an intuitive Anti-Exe, a lite outbound and inbound firewall, a lite version of app-guard....ETC ETC... You get the idea.

This is possible in one package, and with the right person behind it, with the right coding it would be effective and lite, all in one package....And I don't care if you charge double what others charge for a security suite I will buy it.
 

Balrog

Level 6
Verified
May 5, 2015
260
Cool share Frog,
Security was a little intimidating for me back before I took the time to
ask questions, be patient and learn. I don't know about you guys but for me
I wanted to educate myself, investigate, and know what the hell I was doing.
But I have always been like that "inquisitive" and I think that's the kind of drive it takes
I know not all PC users are like me, so I can see where it would get overwhelming for
someone not so inclined, or interested. There's nothing wrong with that, to each their
own, and I am glad MT is here with doors wide open for the advanced, medium, and novice user alike.
It's the only site I frequent that can claim such a noble standing. U da man Jack :)

Sometimes, very frequently, i receive answers from my customers "i don't have any secrets or important information in my network / laptop / server"...

:eek:
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Sometimes, very frequently, i receive answers from my customers "i don't have any secrets or important information in my network / laptop / server"...

:eek:
I'm very confused ??
 
H

hjlbx

A preliminary study involving 40 computer users of different ages, occupations, and living in different settings has shown what most of use already know to be true: security fatigue is a real thing.

uqn0mZi.jpg


Security fatigue – weariness from dealing with computer security as well as reluctance to do so – leads to risky computing behavior such as avoiding security decisions altogether and going with the easiest option, failure to follow security rules, and so on. It also carries with it a sense of dread and, ultimately, resignation.

The subjects were asked details about their home and work computer use, and about computer security, security terminology, security icons and tools.

Aside from an obvious disbelief in the idea that they could be important enough to be targeted in a cyberattack, the responses also showed an “overwhelming feeling of weariness”.

The respondents are tired of having to memorize usernames and passwords, PINs and security questions; of having to be constantly wary of possible dangers, of having to discern the subtleties of different online security issues, and of having to make (too many) smart decisions to keep themselves secure.

“The more decisions we make in the course of the day, the harder they become,” says computer scientist Mary Theofanos, who is one of the authors of the study. And once users reach the stage when they are simply too tired to make them, they either begin avoiding making a decision altogether, or fall back into (usually bad) habits.

Instilling good security habits into users is, of course, one of the solutions to this problem.

Others include organizations (banks, online retailers, and so on) making it simple for users to opt for the right security action, designing their offerings in a way that pushes users towards consistent decision making, and minimizing the number of security decisions users are asked to make.

In short, organizations should make it easy for users to do the right thing, make it hard to do the wrong thing, and help users to recover when the wrong thing happens, says Theofanos.

Full Article. https://www.helpnetsecurity.com/2016/10/06/security-fatigue-usable-security/

The best security is default-deny without any local user having the capability to allow. In the Enterprise world that is the model that many follow - and it works...
  • No decisions to be made by the workstation user
  • It is what it is and they can't modify it (resigned to the fact that they can't change it)
Physical system stays clean since it is locked-down.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top