How many passwords do you have? Do you remember them? Do they meet the security minimums? Do they have more than 10 characters, between uppercase, lowercase, numbers and other symbols? When was the last time you changed them? Have you recently checked if any of the accounts that protect has been violated? If a monumental laziness invades you with the mere mental review of these issues, your disorder has a name: cyberfatigue or cybersecurity fatigue.
Fatigue can overtake us in several ways. According to classical studies, it was attributable to the overconfidence that resulted from having received multiple training on these risks: all this knowledge makes us feel invulnerable. For Andrew Reeves, researcher of the group of human aspects of cybersecurity from the University of Adelaide (Australia), complacency is a valid but insufficient answer. On the one hand, the prevention measures of the companies are translated into a wave of training and recommendations on this matter. “People are being trained so often that they get tired of hearing the same thing and sick of being told what to do. So his behavior begins to worsen ”, says the expert.
On the other hand, the security systems themselves undermine the morale of the user, turning prevention tasks into an obstacle course that is added to the rest of the obligations of the working day: using a double authentication system, changing passwords, checking legitimacy of emails, connecting to VPNs … “This can lead us to a situation where we are totally disconnected from cybersecurity,” concludes Reeves.
Is it possible to avoid cyber fatigue? No. And, given the upward trends in the incidence of cybercrime, the situation has no signs of improving, especially in work environments. “At home, when you enter your bank account it is your responsibility. At work, especially in larger companies, it is easy to think that it is someone else’s problem ”, the researcher points out. Tiredness, however, travels from one environment to another: the frustration of seeing our Facebook data potentially exposed by a leak adds to the hassles of managing business account security.
Furthermore, those who perpetrate these crimes know our weaknesses and take advantage of them: the most common hours for launching attacks are around the end of the afternoon and evening; and the favorite day is Friday. “Especially the case of phishing –Identity theft–, because they know that people are tired and not thinking clearly ”. But the inexorableness of this reluctance does not imply that we are condemned to use passwords of chichinabo and being exposed to the dark side of the internet out of simple laziness.
If you can’t handle cyberfatigue …
Reeves’ recipe is to accept that this rejection is going to happen at one point or another. Under this premise, the best way to minimize the consequences of cybersecurity is to design security systems that make life easier for those who have to use them, so that staying alert requires less effort. “The big word here is empathy”, Emphasizes the researcher. If those who design and implement the precautions were to put themselves in the shoes of the users, another rooster would crow.
“We have to work with fatigue, because we will not be able to counteract it completely,” insists the expert. The success of this change in perspective has already been confirmed by studies showing that password quality improves if password renewal is requested on a Tuesday morning instead of a Friday afternoon. This effort to improve the user experience can also reduce friction in more convoluted procedures. Reeves gives the example of a two-factor authentication system in which the design of the button where you had to click to activate the sending of the access code to another device made it practically invisible, so that users wasted time waiting for a message that had not even been forwarded. “Usability is a safety factor,” says the researcher.
Training content and how to communicate new security measures can also help limit the scope of cyber-fatigue. Rather than listing a series of deplorable behaviors and dictating the correct ones outright, Reeves advocates an approach that explains why the changes and recognizes that even new measures could be out of date in no time. “The problem we have is that sometimes there is an attitude of even moral superiority.” Thus the cybersecurity department recognizes its own fallibility, caused by the constant evolution and adaptation of criminal groups, improves the predisposition that those who must follow its recommendations.
“It is important to know what is causing cyberfatigue,” warns the researcher. Since each reason requires different treatment, a misdiagnosis can end up worsening the situation. If the problem is in the excess of training, trying to solve it with more training will only make you fat. In the same way, if the predisposition is good, but the problem is in the prevention systems, increasing the educational content will not solve anything.
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.