Skip to content ↓ | Skip to navigation ↓

Oh dear. It may very well be National Cybersecurity Awareness Month, but a new study suggests that many of the general public have thrown in the towel and given up.

The detailed study, from the National Institute of Standards and Technology (NIST), suggests that the public is suffering from “security fatigue” and a feeling of helplessness when it comes to their online security:

“Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue. The authors found that the security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.”

Resignation, fatigue, dread, decision avoidance… these aren’t good things. If users feel out-of-depth when it comes to securing themselves online they are either going to avoid making decisions or fall back on bad habits.

Some of the statements given by the study’s participants paint a concerning picture:

“Security seems to be a bit cumbersome, just something else to have and keep up with.”

“I think I am desensitized to it… People get weary of being bombarded by watch out for this, watch out for that.”

“…first it gives me a login, then it gives me a site key I have to recognize, then it gives me a passsword. So that is enough, don’t ask me anything else.”

“I get tired of remembering my username and passwords.”

“I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.”

“It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.”

When you read comments like that, it’s understandable that some people are exhibiting signs of “security fatigue”.

But does security really have to be that much of a pain?

NIST proposes a three point plan to ease security fatigue and help users improve their behaviour when it comes to online security:

  • Limit the number of security decisions users need to make
  • Make it simple for users to choose the right security action
  • Design for consistent decision making whenever possible

As report co-author Mary Theofanos explains, instilling some good habits is essential. It safe behaviour becomes habitual, then when we feel swamped by the craziness of the online world we will at least fall back into habits that have been designed to protect us, rather than put us at greater risk.

And it is important to take some of the tricky decisions away from the users. The goal should be for doing the right thing to be the easy choice, and it being much harder to do the wrong thing. And, of course, to help users recover when the wrong thing happens (as they surely still will sometimes!)

We are all now in the lucky position to not only have powerful computers in the workplace and at home, but even carried in our pockets everywhere we go. Our increased interconnectivity might open us up to more opportunities for attack, but the technology we have alongside us can play a significant part in making things simpler and safer.

Many of the respondents in the quotes given above, for instance, relay issues related to passwords, PINs and security measures to access accounts.

Yes, the typical person does feel exhausted at the prospect of having to ensure that their passwords are not just unique, more than 20 characters long, and compiled of a gobbledygook random collection of letters, characters and numbers, let alone the challenge of remembering them.

But that’s where computers and smartphones come in. The most common question I am asked by members of the public is “I know I’m supposed to have lots of different, complex passwords… but how am I supposed to remember them?”

Well, good news! You’re not supposed to remember them. In fact, if you can remember them you’re probably doing it wrong!

Instead, invest in a decent password manager which will securely store your passwords for you and even generate properly random, complex passwords when you need to create a new account online.

Password management software can be used to not just remember your login passwords, but also your PIN numbers and the answers to those impossible questions your bank sometimes asks about your mother’s French teacher’s maiden name.

If we take the time to explain, and demonstrate the benefits that secure practices can bring, then we can increase the chances of regular non-technical members of the public embracing online safety.

After all, when designed and implemented properly, the whole point about security solutions should be to reduce stress and fatigue.

What are the tips you give your non-technical friends and family members for staying safe online? How do you think those of us in the industry should change our ways to help the general public? Leave a comment below with your thoughts.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc

Tripwire University
  • Blank Reg

    It is a major chore, to be sure. I just had to completely uninstall my anti-virus (Avira) so that I could install Windows 10 Anniversary Update. This is a ridiculous situation. Installing updates and running anti-virus are now conflicting objectives!

    I use a password manager (recommended by security professionals), but then I find that some sites turn off the paste facility in password fields, so I had to find a way round that.

    And all that business of turning off Flash in my various browsers. I’m a software developer by profession and I find the situation unmanageable.

  • Ash

    Yes, definitely a good password manager is key to online security. Unfortunately, that too takes a lot of time and effort to set up. You have to be diligent about importing usernames and passwords into the manager as you logon to accounts that you haven’t used in a while, and then changing the passwords. After using a manager, I wouldn’t go back to how I was doing it before.

    What can be really frustrating is when a site doesn’t give you all the acceptable parameters for a password. They’ll tell you the minimum password length, and that you need to include a certain number of capital letters, lower case letters, or numbers, but they don’t give a maximum password length or if special characters are permitted. It can sometimes take a bit of trial and error to figure out what’s permitted.

  • Nigel Straightgrain

    “…it is important to take some of the tricky decisions away from the user. The goal should be for doing the right thing to be the easy choice, and it being much harder to do the wrong thing.”

    In principle I’m in complete agreement with the goal, but I’m not so sure about the methodology. I guess it depends on who gets to determine what “the tricky decisions” are. That same approach has produced the intractable mess we now call “government”, which has devolved into arrogant politicians enacting laws in which we have little or no say that continually limit our freedom, our privacy, and our security…all in the name of freedom, privacy, and security.

    The price of freedom is responsibility. If users want to retain the freedom to make their own decisions about things that matter to them—their user environment, their hardware and software tools, their access to information and other resources that make their lives easier and better—they’re going to have to stake their claim to that freedom by taking some responsibility for it.

    A simple thing like a password manager is a no-brainer to those who already understand why it’s important. But that’s the key: password managers aren’t used universally for the same reason that secure (encrypted) email isn’t—namely, people don’t know about them, and don’t understand why they’re important.

    So yes…doing the right thing should be the easy choice. I absolutely agree that it is a proper design specification not only for secure software and devices, but for every system of self-governance that humans use, including government itself, and that requires an educated populace. Articles like this one help, but we have a long way to go.

    • Serban

      But my utmost concern about password managers is that they are still inside a computer that’s ‘hackable’. If a person with bad intentions is capable of getting to the software and data on my computer, from afar, despite of several layers of technical difficulties, then what’s to stop them from stealing wholesale the password manager hashes and decryption algorithm, all in one go? Where is the limit of what they can steal and what they cannot? Is there such limit?
      If you need to doubt a few seconds before a serious answer, then the conclusion is the password for my bank account is better off in my head.

      • Nigel Straightgrain

        Wait…are you saying that the only password-protected online account you own is your bank account? If that’s the case, then I agree that you have no need for a password manager.

        Meanwhile, I suspect most other folks are like me. By rough count, my password manager is holding over 250 passwords and usernames. Even if I could remember all of them, I don’t want to. All of the passwords are unique, which means that if by some chance a ne’er-do-well manages to hack a password for any given account, he can’t use it anywhere else for another account.

        The probability that some jerk is going to be able to hack through my firewall, hack into my fully patched system, get past my on-access AV scanner, and then hack a very strong password (the only one I have to remember) to get into my password manager—and do all of that while going completely undetected by my network monitor—is essentially zero.

        If I were to apply your argument to myself, you’re essentially saying that I’m better off using a single easy-to-remember password for all 250+ of my online accounts and keep it in my head…that the risk that someone might hack the password on one of those accounts and thereby gain access to all of them is less than the risk of his hacking into my password manager.

        …uh, I don’t think so.

  • LUCY Security

    At home:
    1. Use a firewall appliance and do not open any internet ports, never.
    2. Use a NAS in your home AND use Cloud Storage service. Split usage between private NAS and collaborative Cloud Storage Services.
    3. Buy Macs to your family especially to your kids.
    4. Apply PWCER….

    PWCER – Internet Safety Basics are…
    …Passwords: Strong & unique.
    …Website: If you have one protect it.
    …Computer: Use Antivirus and do Backups.
    …Email: Hover over links and attachements and check the URL.
    …Reputation: Think before you type to upload a picture.