Though the capabilities of enterprise technology continue to advance with each passing year, the fundamental role that users play in securing complex systems has remained virtually unchanged. Decades after the creation of the most common operating systems, users still typically log in via the same basic authentication model — identity nomenclature plus password — that existed at the time the first version came to life. Indeed, rather than advancing to a more simplified security paradigm, users typically find themselves struggling with a plethora of identities, passwords, token devices, etc.— each one adding the security tasks needed to protect devices, enterprise systems, and data. 

In many other contexts such as medicine and law enforcement, the impact of adhering to such complex protocols and procedures is studied carefully in order to understand the psychological burden they place on affected parties. Moreover, we understand that various forms of decision fatigue can arise in settings with high compliance efforts. Thus, it is not surprising to find that NIST researchers documented the existence of information security fatigue (henceforth, “security fatigue”) in a 2016 study looking at general user attitudes toward cybersecurity. Interestingly, a new paper from W. Alec Cram (Waterloo), Jeffrey G. Proudfoot (Bentley), and John D'Arcy (Delaware) takes the first structured look at the dynamics, causes, and consequences of this phenomenon.

For their research, the authors define security fatigue as a “socio-emotional state experienced by an individual who is tired and disillusioned with security policy requirements.” In a world overloaded with hacker warnings and information security advice, it is not hard to imagine someone feeling “worn out by security policy requirements and accompanying controls, to the point that their compliance declines.” However, it is important to note that workers who feel security fatigue are not the same as those who demonstrate security indifference; indeed, security fatigue may affect employees who at a prior time were models of correct security behavior, which makes understanding the phenomenon even more important. Unlike indifferent workers, the authors clarify upfront, fatigued employees “are weary of, and worn out by, the demands imposed by security policy requirements.”

We know that a large percentage of security breaches can be traced back to employee behavior. Consequently, if security fatigue is a factor in these scenarios, it is an issue that should be studied and understood.