What is it?
The psychological state one reaches when security decisions become too numerous and/or too complex, thus inhibiting good security practices.
Why is it important?
Security fatigue can cause weariness, hopelessness, frustration, and devaluation, all of which can result in poor security practices.
Why does a business professional need to know this?
Security fatigue — feeling tired, turned off, or overwhelmed in response to online security — makes users more likely to ignore security advice and engage in online behaviors that put them at risk. Users favor following practices that make things easier and less complicated, even if they recognize that these practices may not be as secure.
Security fatigue presents a significant challenge to efforts to promote online security and online privacy. The ability to make decisions is a finite resource. Security fatigue is a cost that users experience when bombarded with security messages, advice, and demands for compliance.
Too often, individuals are inundated with security choices and asked to make more security decisions than they are able to process. Adopting security advice is an ongoing cost that users continue to experience. When faced with this fatigue and ongoing security cost, users fall back on heuristics and cognitive biases such as the following:
- Avoiding unnecessary decisions
- Choosing the easiest available option
- Making decisions driven by immediate motivations
- Choosing to use a simplified algorithm
- Behaving impulsively
Understanding how the public thinks about and approaches cybersecurity provides us with a better understanding of how to help users be more secure in their online interactions. The following steps can help users adopt more secure online practices:
- Limit the decisions users have to make for security
- Make it easy for users to do the right thing related to security
- Provide consistency (whenever possible) in the decisions users need to make