DNC’s Email Leak Reinforces NIST’s “Security Fatigue” Study

A newly released report from the National Institute for Standards and Technology (NIST) suggests that users are in a state of “security fatigue” that leads them to risky-behavior in their digital lives.

The study defines security fatigue as a weariness or reluctance to deal with computer security.  “Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.” (NIST News)

To put this in more accessible terms – people get sick of having too much online security to deal with and don’t know what to do about it, so they give up.  You may remember, not so long ago, hearing the term “password fatigue.”  This is the precursor of security fatigue, and represents a major part of the overall problem.  But frustration with security goes beyond just password fatigue.

A headline yesterday from BuzzFeed announced: “Russian Hackers Faked Gmail Password Form To Invade DNC Email System.”  Now, I’m not focused on the fact that 20 of the 108 individuals targeted in Clinton’s campaign fell for the phishing attempt; instead I want to point out that Google offers second-factor authentication that would have prevented this fishing attack from ever being successful… if it had been used by those staffers.  (In fact, because of SAML, they could have even used alternative 2FA options – like Tozny for instance… I promise that my self-serving plug ;-))  Why were employees, who knew their emails would be at threat, not using the built-in protections?  The answer – Security Fatigue.

Employees engaged with the Federal government are not unfamiliar with the importance of 2FA on email accounts.  In fact, just last year, after a major Office of Personnel Management hack, the United States CIO issued a 30-day cybersecurity sprint to shore up government systems, including “Dramatically accelerate implementation of multi-factor authentication.”  Why are we still seeing simple password hacks exposing privileged US data?  Because users are so irked with the complexities of utilizing enhanced security… they just don’t.  They are falling victim to security fatigue.  And before you get all uppity about this, remember that, statistically speaking, you probably don’t either.

A paper from the Foundation for Research and Technology – Hellas, found that no more than 6.4% of Google users were utilizing 2FA on their accounts.  And this is not out of the norm for 2FA adoption.  I dare you to check yourself – visit https://twofactorauth.org/ and look up your bank, your photo sharing site, your cloud storage, your email… I bet you’ll be surprised by the places that have 2FA options you aren’t yet using!

So, what does NIST recommend now that it has identified the issue of security fatigue?

  1. Limit the number of security decisions users need to make;
  2. Make it simple for users to choose the right security action; and
  3. Design for consistent decision making whenever possible.

A little vague on the details, but a good start.  Expect more to come from NIST in the future regarding the severity of security fatigue and more specifics on redressing the issue.  In the meantime, enjoy this introductory (and rather musically intense) video on Security Fatigue from NIST: