Security Fatigue — What Is It? How Do We Cope With It?

When attending a seminar on cybersecurity, I once heard the following conversation —

Person 1: Hey, I heard that you had some kind of an argument with boss

Person 2: Yeah. It was such a silly thing. I wanted to install software for the ABC project and that office laptop simply refused to let me. Kept asking for an admin account.

Person 1: Didn’t you contact the IT dept?

Person 2: I did, yeah. But they rejected my request. Said something about “not allowed to give administrative access to employees”. I tried to reason with them, but they were really adamant.

Person 1: But you did complete the project, right? The team was all praises for you. So I guess they finally gave you the access?

Person 2: Yes, eventually they did. But it was so many arguments back and forth, then boss got involved, but finally, I got it. But I tell you, these so many restrictions make it so hard to work here. You have security restrictions everywhere — passwords, accounts, computers and whatnot. I feel tired even when typing those extremely long and complicated passwords every time I need the server data. All this “following the security” has become so frustrating that I’m thinking of looking for another job.

Now, don’t you go thinking that I was eavesdropping. It all happened when we were chatting about cybersecurity restrictions and these two from our group started this line of conversation. But that’s not the important part. What’s important is that most of the general workforce thinks on the same lines. How do I know that, you ask? Well, after hearing the conversation mentioned here, I asked this question to all the attendees there and they seemed to agree. Not only this, but from that day, I ask the same question to everyone I meet and there is a consensus that the current structure of cybersecurity restrictions in big organizations is a little annoying at times. And while this starts with a bit of an annoyance, multiple restrictions (especially those hindering with the daily work) lead to annoyance increasing slowly and converting into tiredness, and eventually, people start ignoring the cybersecurity rules altogether.

This experience of feeling overwhelmed, anxious and tired by the cybersecurity processes, rules & regulations is commonly known as “security fatigue”. And this is not just restricted to an organizational setup as many would think. In our personal lives too, this causes a big impact. And according to what I have experienced up till now, people who think of following good cyber hygiene standards slowly start getting tired of them. For example, a friend of mine was quite pumped up about cybersecurity hygiene when I first told her about this and how it would keep her safe in the cyber world. She started following the good practices enthusiastically — keeping strong passwords, changing them from time to time, maintaining social media security, restricting internet access with firewalls and more. But after a while all this started overwhelming her and eventually, she stopped altogether. Not only her, but many others also experience similar things when trying to increase and follow cybersecurity. And the reasons for these are many. People start experiencing a false sense of security after a while, which makes them overconfident that they cannot be targeted and thus leads to their decision of ceasing to follow cybersecurity. Many believe that they do not possess important data which the hackers may take interest in. Some feel that cybersecurity slows down their work. But whatever their reasoning, this thought process leads to an increasing feeling of fatigue in them which directly relates to the cybersecurity controls and processes they have to follow. And once a person experiences the security fatigue he/she may even start acting recklessly wherever cybersecurity is concerned. And this is not the best way to go, especially in a world where cyber-attackers keep innovating and cybercrimes keep increasing.

While Vince lombardi has said “Fatigue makes cowards of us all” , in the case of security fatigue, it will be more appropriate to say that “Security fatigue makes us all reckless”.

Then what do we do? Do we completely ignore cybersecurity? Or do we follow it and then fall to security fatigue? Isn’t there a middle way? It’s a tricky situation, isn’t it? There are some ways in which this can be tackled. Now, you need to know extreme modifications cannot be done to the science that is cybersecurity. If we look at this in an organizational setting, then yes, the security implementation and management processes do need to change. Organizational cybersecurity can be truly achieved when its employees understand cybersecurity and get past the security fatigue. And to achieve this, a more people-friendly and accommodative cybersecurity framework needs to be designed. One that finds the balance between security and utilization. But this does not mean that the people can go carefree once this adaptive model is achieved. People will always play an important part in cybersecurity enforcement, whether they work in the top management or are a part of the physical security team. Each person has his/her own unique role to play. Although modified processes can reduce the chances of security fatigue, they cannot fully eliminate it.

Now, if we take a look at this security fatigue in a personal setting, the complete responsibility falls upon us as there is no organization to define the security processes for us. So, what we people can do, both at the personal and professional level is to follow a simple process which I call “Baby-Step CyberSec”. I personally recommend following a “baby-step” step-by-step process whenever things seem overwhelming and confusing. Simply put, you need to tackle things one by one instead of all at the same time. It can be done in the following way —

1. Make a list of all digital data, online platforms, networks and other personal IT assets you may have.
2. Make a list of security measures you need to take and follow for each of these.
3. Pick the first measure from the list and start following it.
4. Follow this measure until it becomes a natural part of your daily routine, so much that your mind does it subconsciously rather than having to list it as a separate task.
5. Then continue the same thing with the second security measure and so on.

What I mean to say here is that the cybersecurity controls and measures cannot be drastically changed. But our human brain has the capacity to adapt to all kinds of situations and routines. It just needs time and patience. Some would say that this method will leave big security gaps in the beginning when other security controls are not thought of. But something is better than nothing, isn’t it? And we don’t just need to secure the present. We have to progress to a world where people don’t need to ask “Why cybersecurity?”, rather they consider cybersecurity as one of the basic necessities in life. Because realistically speaking, cybercrimes will not cease, but security fatigue can. We just need to put in a little effort.

And as I always say — “After All, It’s Your Call”