By Diederik Perk. It’s a puzzle that’s never fully finished: how to close the gap between the security policy and its acceptance by a targeted group of users. Setting the policy rules is one thing, to have members of the organization comply is a different ballgame. A recent NIST study uncovered that the majority of users experience security fatigue. This confirms previous observations from academic studies into the phenomenon.
Security fatigue means that the majority of average computer users feel overwhelmed and bombarded with rules and warnings, get tired of being on constant alert, which causes them to stop adopting safe behavior and trying to understand the nuances of online security issues. In a nutshell, the results of uncoordinated security awareness efforts are counterproductive, causing confusion and recklessness.
For security departments this should be a pressing cause for concern. Verizon’s recent experience shows that 30% of successful major data breaches involves social engineering tactics to acquire a foothold in an organization. Additionally, human error is responsible for 95% of security incidents according to IBM‘s 2015 report on Cyber Security. This data indicates nearly all computer-based attacks are connected to exploiting the human factor in organizations. Overcoming security fatigue in users is therefore instrumental in tightening up organizational defenses.
Shifting the Burden
Regardless of the alarming statistics, there’s no use in blaming the workforce. What’s necessary is devising a better way to communicate with the user that protects them and the organization. Now, too often a shortcut is taken to injecting fear, uncertainty and doubt by talking about worst-case scenarios. Combining that with discussing risky user actions sends the message that they alone stand between this scenario and have to become fully knowledgeable about security issues. The implicit calculation that is passed on can be summed up schematically as follows:
Realistically, the chance of security fatigue increasing is big- due to the disproportional weight that is placed upon the total sum of actions performed by the user. The burden of security is unfairly passed onto the user. The average employee will refuse to accept this responsibility and undermine it by pleading ignorance or time-restraints: “I have a deadline to meet so I cannot be expected to screen all security alerts when visiting customer webpages.”
Winning Charts and Minds
To change the attitude, knowledge and awareness of such a user requires a two-way dialogue that clarifies that security is an organizational priority. Present the user with a bottom-line choice of following common sense rules or enforcing a more restrictive computing environment. Additionally, an honest exchange to review the risk profile of the organization should be part of the conversation. That will invite people to point out risks that may or not have been considered by everyone which are taken from experience, raising credibility, awareness and the overall alignment.
Rewarding good behavior works better than punishing unwanted acts. There are various examples of gamification in organizations that award badges and points for finishing security awareness trainings, ensuring a clean desk or reporting spam mail. Some organizations even go so far as handing out cash prizes for accomplishing security objectives. Whatever works comes down to organizational culture. The point is to inform, entice and activate users by continued interaction that empowers them to make risk calculations as well as detect and report anomalies.
Where Responsibility meets Accountability
Ideally, this shifts the equation for all users to the following:
Not only is the outcome of secure actions based on common sense tangibly rewarded, it will also gain acceptance by feeling rewarding in itself. In such a way, the groundwork to nurture a security culture is put in place. A security culture is where a growing and shared responsibility meets well-defined accountability. Or, in other words, everyone within the organization knows the rules and requirements and is willing to go the extra mile, ensuring that an uninvited visitor is asked for his guest badge or reporting to the service desk after receiving suspicious e-mail.
The security fatigue study debunks one more myth. In IT circles the end-user is considered to be uninformed about doing the right thing. In fact, NIST has shown they are knowingly bypassing your security warnings. They know what to do, but choose not to (much like IT staff itself). This is actually a helpful item. It means all the previous efforts focused on basic security hygiene such as strong passwords and safe e-mails are received. Now it is time to move beyond giving well-intentioned guidelines and policies. It’s necessary to help the user shift their calculation by making it worthwhile to comply with- rather than bypass- security. Consider this both an invite and a warning: they snooze, you lose!
 Brian Stanton, Mary F. Theofanos, Sandra Spickard Prettyman, Susanne Furman, “Security Fatigue”, IT Professional, vol. 18, no. , pp. 26-32, Sept.-Oct. 2016, doi:10.1109/MITP.2016.84
Steven Furnell, Kerry-Lynn Thomson, “Recognising and addressing ‘security fatigue’” Computer Fraud & Security, Volume 2009, Issue 11, November 2009, Pages 7–11.
 Verizon “Data breach digest. Scenarios from the Field” http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2016/
 IBM “2015 Cyber Security Intelligence Index” http://www-05.ibm.com/at/businessconnect/assets/files/Security-IBM_Security_Services.pdf