Internet users are tired of constantly updating their passwords online, which sometimes causes them to engage in unsafe cyber behavior such as reusing old passwords, a study finds.
It's a phenomenon called "security fatigue," which the National Institute of Standards and Technology has described as "reluctance to deal with computer security."
A new NIST study interviewed about 40 people, who ranged in age from their 20s to 60s, about their internet habits, and discovered an "underlying theme of fatigue and weariness, which came with dread and resignation," study co-author Mary Theofanos said in a NIST video. More broadly, subjects expressed "resignation, loss of control, fatalism, risk minimization and decision avoidance."
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Security fatigue could put users' data at risk of exposure either at work or in their personal life, co-author Brian Stanton said in a statement. “It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”
When people are expected to remember tens of different passwords, "we haven’t really thought about cybersecurity expanding and what it has done to people," Theofanos said. Subjects also felt like they were being bombarded with reminders about safety risks and guidelines for safe online behavior.
Some interviewees didn't feel they were important enough to get hacked, and thought data protection should be someone else's responsibility, such as their banks or online stores. They also wondered why they should bother to protect their own data when large organizations are frequently targeted by hackers.
The study suggests that sites should keep the number of security decisions that users must make to a minimum. Stanton and Theoganos' findings suggest that better-designed security protocol will require input from cyber experts, psychologists and anthropologists.
NIST plans to continue interviewing subjects who vary in their knowledge and responsibility regarding cybersecurity.