Is Your Company Suffering the Effects of "Security Fatigue"?

A new study from the National Institute of Standards and Technology (NIST) puts the spotlight on “security fatigue." What does this mean?

October 11, 2016 by Alex Collins, IT Services Consultant


You have a hard enough time making decisions for the benefit of your whole enterprise. Add the numerous decisions you have to make with regard to cybersecurity alone (“What password do I use?” “Who gets access to sensitive data?”) and it's no surprise that some simply give up.

A new study from the National Institute of Standards and Technology (NIST) puts the spotlight on “security fatigue”: a trending decrease in cybersecurity vigilance and corresponding increase in risky behavior, experienced by users who are overwhelmed by the need to stay alert against threats to their data.

“We were completely surprised by our findings.” study co-author, Mary Theofanos of the NIST, explains in a video. “We found this underlying theme of fatigue and weariness which came with dread and resignation!”

Vintage Businessman Walk Sad Tired Weary Character Icon Stylish Background Retro Cartoon Design Vector Illustration

Security & Psychology

Theofanos believes that “security fatigue” mirrors a phenomenon in psychology known as decision fatigue: “The more decisions we make in the course of the day, the harder [making] the decisions become,” Theofanos says. “What your brain does in response is, it goes into another mode: it tries to either avoid the decisions, or fall back on something that it knows how to do very easily, fall back on habits.”

This, Theofanos explains, is what the study found from its respondents: “They were no longer able to make decisions with respect to security.” Fatigued by fear and uncertainty, many users' decisions swing towards impulse and lack of caution.

For example, users of your sensitive company data might resort to easier-to-remember passwords… that also happen to be easily teased out by a determined cybercriminal.

Users might also self-justify their lack of caution, claiming that their data is inconsequential to hackers; or say that IT vigilance is pointless, given that large companies regularly fall victim to hackers anyway.

This and many other manifestations of security fatigue are bound to cause trouble for your computer security, with major consequences down the road. Consider this: according to a 2016 Experian study, “one in five consumers notified of a breach stopped doing business with the company that compromised their personal information.”

Do the Right Thing77663621_thumbnail

The solutions, explains Theofanos, tie into a key goal in cybersecurity: “to help users do the right thing, make it hard for them to do the wrong thing, and help them to recover when the wrong thing happens,” she explains.

Half of the solution relies on creating good cybersecurity habits: “We want to instill habits in people so people can fall back on those good habits, rather than avoiding those decisions,” Theofanos explains. This solution may involve security training for end-users (a service that All Covered provides). Not only do end-users get on board with the company's IT security posture, this creates a fixed cybersecurity policy for them that helps avoid fatigue from dealing with uncertainty.

Theofanos also suggests that cybersecurity rules be simplified: “eliminate some of the decisions for users.” Some cybersecurity decisions might be taken off an end-user's hands, reducing the risk for security fatigue down the road. “If the decision making process is so difficult, why don't we make some of those decisions for the users?” asks Theofanos.


By simply outsourcing many of these cybersecurity issues to a capable IT partner, you can apply Theofanos' suggestion to your whole company: relying on specialized security talent on-demand without investing the vast resources you need to build up a robust cybersecurity infrastructure.