'Cybersecurity fatigue' stopping millions from being safe

secure website

A new study by the US National Institute of Standards and Technology (NIST) has found that a majority of computer users are being turned off cybersecurity by the constant warnings they receive about the dangers of hacks and cyberattacks.

simon chandler
By Simon Chandler

NIST reported in IT Professional that the regular publicising of advice fatigues and wearies people, ironically making them less likely to take the necessary precautions to strengthen their online security.

In an age where the likes of TalkTalk and the Carphone Warehouse are having their websites breached because of lax defences, the existence of apathy among the public is a major cause for concern.

It suggests that already underperforming companies have to double their efforts to protect the data of their customers.

More fundamentally, it also suggests that the whole approach to educating and protecting the public has to change, and that cybersecurity has to be made much simpler and accessible if the Government and businesses expect the public to play their part.


Otherwise, the kind of fatigue and disinterest reported by NIST will continue.

In their paper, they recorded how "average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert."

Much of this sense of being overwhelmed comes from having to remember so many usernames and passwords, which the authors of the paper reveal can sometimes reach as many as 30.

But it's also a product of having to adopt "safe behavior, and trying to understand the nuances of online security issues."

Together, these kinds of demands were found to have an effect opposite to what was intended.

They not only lead to "feelings of resignation and loss of control", but they also result in many people "avoiding decisions, choosing the easiest option among alternatives ... and failing to follow security rules."

As such, campaigns intended to motivate people to act more responsibly online - such as the public cybersecurity awareness programme launched by the Cabinet Office in 2013 - may have been counterproductive.

Since they required the public to take on considerable amounts of new information and adopt new habits, they may have worsened the uncertainty and indecision they set out to solve.

This is perhaps part of the reason why, after years of campaigns and more campaigns, Britons are still victims to some 6 million cybercrimes each year.

Entrusted data

More on cybersecurity
Malware found in Apple apps
Mobile banking vulnerable to attack
Festive fraud warnings
Is parental control software effective?

Part of the problem is no doubt that some cybercriminals are becoming more sophisticated in their methods, yet another big part of the problem is simply the attitudes people have towards cybersecurity.

For example, NIST also noted that many people think "safeguarding data is someone else's responsibility". They often believe that computer security should be left "to their bank, online store or someone with more experience".

This is an assumption that's made much more likely by the aforementioned bombardment of advice, cautions, instructions and campaigns.

In order to combat it, what's needed is an entirely different approach to ensuring that the public aren't a weak link in cybersecurity's chain.

As the NIST paper recommends, business and security companies should "Make it simple for users to choose the right security action". They should also "Design for consistent decision making whenever possible".

While it's only a modest step, such consistency and simplicity would be enabled by a password manager like Dashlane and LastPass.

However, cybersecurity isn't simply a matter of simplicity. It's also a matter of businesses and organisations doing more to protect the data they keep on behalf of their customers.

This is because, whenever someone puts personal information online, they always put it with a business and organisation.

Because they entrust it to a third party, they're actually correct in assuming that the ultimate responsibility for its security resides with this party.

Hard lines

As a result, telecoms providers like TalkTalk really must do more to tighten the defences of their websites and databases.

Since they've been so slipshod recently, it's a good thing the Information Commissioner's Office fined them £400,000.

Because if their cybersecurity is weak, then no amount of sensible, responsible behaviour on the part of their customers is going to save these customers from having their personal data jeopardised.

In fact, it's possible that the general public have been overwhelmed with so much information concerning security precisely because many businesses have been so inept on this regard.

This is why, if the Government wish to avoid giving them cybersecurity fatigue, they should work very hard towards ramping up the cybersecurity of businesses.

Their opening of a National Cyber Security Centre is a step in the right direction, yet what's also required is a consistent hard line on companies who have their websites breached because of security failings.

Because without such a hard line, there would be little use in informing a jaded public about cybersecurity anyway.

Please read our full disclaimer for important information that relates to the service we provide and your use of this site.

We aim to provide free reviews and comparisons of consumer products and to keep our editorial content as objective as possible. To keep the site free, we are paid by some providers when new customers take products after they've clicked on our links. We don't allow our editorial content to be affected by those links, however we may not include all of the products available in the market. Finally, we do not submit or process any applications for any products or services and we cannot guarantee that any product or service listed on this website will be available to you. Credit providers make the final decision on whether an application for credit will be accepted.

If you would like to get in touch with us you can contact us here.