You walk into the office, enter your user name and password to begin your day and are prompted to reset your password because it’s the end of the quarter. You sigh and enter one, “too short,” another “don’t forget the special character” another still “you used something similar last year” and you finally enter something so complex you have to write it down on a post it and place that under your keyboard.
This is referred to as password fatigue and it’s becoming more common. Add to that the idea of creating a new account for see information or make a purchase and other factors and you have security fatigue. This results in a consumer starting to use risky behavior – such as using the same password on multiple sites – that puts the consumer at risk, according to a report released by the National Institute of Standards and Technology and published by IEEE.
Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore…People get weary from being bombarded by ‘watch out for this or watch out for that.’”
Interview questions addressed online activities; computer security perceptions; and the knowledge and use of security icons, tools, and terminology. Qualitative data techniques were used to code and analyze the data identifying security fatigue and contributing factors, symptoms, and outcomes of fatigue.
Although fatigue was not directly part of the interview protocol, more than half of the participants alluded to fatigue in their interviews. Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.
Comments among those who expressed feelings of security fatigue included:
- “I get tired of remembering my username and passwords.”
- “I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.
- “It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.”
The data provided evidence for three ways to ease security fatigue and help users maintain secure online habits and behavior. They are:
- Limit the number of security decisions users need to make;
- Make it simple for users to choose the right security action; and
- Design for consistent decision making whenever possible.