Why Security Fatigue is Scarier than Dating Taylor Swift

November 16, 2016

The Internet Age has given us a platform that connects us to our community, financial institutions, social life, retail outlets, and entertainment. The upside of all this connectivity is that it’s easier than ever to stay in touch, pay your bills, watch a show on demand, or download music. In order to enjoy all this content, we have to manage our identity across all of our applications. There are few of us who haven’t had the thought, “I am tired of remembering all these usernames and passwords”!

This is what we call security fatigue. "Security fatigue is defined as a weariness or reluctance to deal with computer security." via @idenhaus There are a number of quotes similar to the one above from respondents to a recent NIST study. Interestingly, the authors note that there were no direct questions about security fatigue. More than half of the respondents reported feeling “overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.”

This study was released in October 2016 during Cybersecurity Awareness Month, which is part of the Department of Homeland Security’s effort to highlight cybersecurity and encourage end user training on better security practices. While there are benefits to this awareness program, this program is competing with daily media reports of the latest data breach, security vulnerability, or Cyberwarfare from Russia and China – so the natural response is actually fatigue, and fatigue is dangerous.

“The security fatigue users experience contributes to their cost-benefit analyses in how to incorporate security practices and reinforces their ideas of lack of benefit for following security advice.” Security Fatigue, NIST study


So knowing this, what is a more effective way to combat security fatigue in an organization?

Cybersecurity fatigue will never go away, at least not until security is secondhand to every computer user, but implementing ways to reduce the fatigue can help in increasing compliance and the effectiveness of security measures. Here are three ways to help reduce cybersecurity fatigue and to keep your workforce engaged on a daily basis and not just for 31 days in October.

Step One: Establish a Balanced Cybersecurity Education Program

A good cybersecurity program is one that understands how the people in the business operate, their knowledge of cybersecurity, and how they use their connected devices. This is not an easy thing to do nor to maintain. Ultimately, a balanced program is one that is developed and produced for the unique operating environment of your business. There needs to be a balance between hands-on training and regular messaging; content should include case studies and industry expert insights that are relevant to your organization. 

Each business has its own culture and organizational structure that defines what behaviors are acceptable as well as how authority is employed (formal vs. influence). Together, these create a signature operating rhythm that is defined by the individuals working for that business. While processes and procedures can help to reduce major operating errors, each worker brings their own unique computer fingerprint to the office every day. These digital fingerprints are a challenge for cybersecurity programs — users don’t patch their equipment and devices may not fall under the corporate security policies (e.g. patching, configuration, lock down of functions, auditing). If the security team does not invest the time to understand how their employees and contractors work, the security programs are misaligned and perceived as a nuisance rather than a benefit, so the security programs are ignored rather than embraced.

To help combat this, the cybersecurity education team should tailor their messaging for different functional areas and business units. Consider that what is relevant to IT functions may not be relevant to marketing functions, as an example. By tailoring the education program to the audience, we expect an increase user acceptance and compliance, which provides a more secure computing environment.

Step Two: Designing Security to Enable the Business

Designing security to better suit the needs of your business and enable users to work more efficiently is becoming an important part of cybersecurity, yet it is almost the exact opposite of what cybersecurity has meant for so long. Historically, security signified the restriction of access and the lock-down of a network. Today, security must be designed with user experience top of mind. If controls are implemented and processes are understood and user friendly, there is less risk of employees finding creative ways to circumvent those controls.

“If people can’t use security, they are not going to, and then we and our nation won’t be secure.” Brian Stanton, co-author Security Fatigue Study

If we make the analogy between cybersecurity and brakes on a car, we can tease out some interesting ideas. Ask yourself, if you had no brakes on your car, how fast could you safely drive? The answer would be ‘not very fast’; however, if we have brakes on our car, then we can go very fast knowing that we have the controls in place to stop when there is a hazard. The ultimate goal of cybersecurity is to provide a safe operating environment so we can move quickly and confidently while avoiding cyber-hazards.

So how do we get here? The first step requires cybersecurity professionals to talk with users to ensure they understand the users’ requirements and how they operate. Through conversation, each side can understand the other and work to find a balance which will be beneficial to all. Every business unit has their own requirements, making a one-size-fits-all security mentality a risk to the entire network. Implementing controls which are designed through cooperation with individual business units greatly increases the chances the user will both adopt and properly exercise those controls.

Step Three: Security Policies are our Friends

Cybersecurity policies outline how an organization will address the security of their data and networks in specific terms. These policies are the backbone of every cybersecurity program, yet often there is a lack of understanding of how to implement the policies, how they apply to different situations, and how to comply. Cybersecurity policies are easily understood when discussing Internet use and data storage; however, when it comes to encryption, cloud security, and sending and receiving emails, most employees do not understand their organization’s cybersecurity processes and policies.

Why are security policies important? They make the implicit explicit – defining how people should protect data and systems, what they can and cannot do, as well as defining what should be protected. What is PII? What is SPI? What can I do with PII? What can I do with SPI?

The challenge is that end users are not informed about these policies, nor do they understand how to comply with the policies.

To drive compliance, the organization needs to combine communications with enforcement (e.g., Data Loss Prevention software, password policies) to drive awareness and compliance.


Cybersecurity fatigue is a threat to your network and organization’s security. It’s essential to design policies and processes with user experience in mind, and ensure each department understands the importance of the controls in place. Moreover, it’s essential to create a cybersecurity program that engages users on a regular basis with relevant information. One step all organizations can take immediately to relieve cyber fatigue is to reduce the frequency of irrelevant content.

Click here to subscribe to the blog

Follow @Idenhaus and connect on LinkedIn.

Photo credit: Flickr

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us today!

More News