Security Fatigue: 5 tips how to tame Awareness' biggest opponent

Security fatigue weakens awareness and poses a risk to IT security
IT security needs the vigilant user – but ensuring real awareness in everyday life is a major challenge for many companies. Users feel overwhelmed by password changes, policies and alerts and often end up in a state of resignation. Learn how to avoid 'security fatigue'.

A study conducted by the National Institute of Standards in Technology (NIST) in autumn 2016 states that 63% of participants are affected by security fatigue: Users are repeatedly bombarded with news reports, articles or awareness campaigns that report on online criminals and the dangers of the internet. Digitally inexperienced users in particular often end up in a state of panic and helplessness.

Security fatigue as a counterpart to security awareness

Typical thoughts that users develop are:

  • I am personally not at risk (I have nothing of value that could interest a criminal).
  • Someone else is responsible for security - in case of an attack I will be protected.
  • Security measures that I implement myself can't really help me.

According to psychologists Amos Tversky and Daniel Kahneman of NIST, these thoughts manifest themselves in resignation, so that pending security-related decisions are postponed or avoided. A further not insignificant sticking point is the increasing complexity of current IT systems – digitalization, which is spreading into all areas, can promote security fatigue and thus bring considerable security problems to light.

Reward instead of fear

Contrary to common myths, fear or past incidents are not too strong drivers of change: Most people subconsciously ignore negative effects - a positive outlook can bring about a much greater change without jeopardizing employee satisfaction. For this reason, positive incentives should be created to report incidents. For example, a reward system or a gamification approach for correctly submitted reports can help to promote correct behaviour.

5 tips how to tame awareness' biggest opponent

  1. Security must be simple
    Easy to implement but effective measures such as a password manager or an easy-to-use reporting system (e.g. the IT-Seal Reporter Button) can help to overcome the security fatigue. It is important that the user feels able to contribute to IT security.  
  2. Security is a matter of habituation
    ‍Changes in behaviour do not happen overnight. In order to bring about a lasting change in behaviour, you have to take your time and repeatedly point out safe behaviour to the user. This can be achieved, for example, through training measures integrated into everyday life – our customers rely on the Awareness Academy.
  3. Setting positive incentives
    Correct behaviour should be rewarded. To achieve this, it may be sufficient to praise the best group of employees in front of the entire company. Gamification can also help to create incentives.
  4. Emphasizing personal advantages
    Attacks do not only affect companies. Many training and awareness measures also help employees in their private everyday lives. If this is particularly emphasised, it can significantly increase the willingness to learn.
  5. Establishing a forgiving error culture
    When reporting mistakes comes with disadvantages, there are understandably great inhibitions to admit one's own misconduct. Here, management in particular has a duty to admit its own mistakes and to cultivate open crisis management based on the motto: Mistakes are good - as long as you learn from them.

Security awareness as part of the corporate culture

Security culture is not just paperwork or technical work. In order to establish a functioning corporate security it is important to establish a corporate culture that values security beyond technology, regulations and training. This explains why IT security cannot function without corporate management. The IT department provides important support through strong technical measures - but cannot alone ensure that the entire company is secure.