Good security hygiene dictates that you use a different password for every site, keep backups for all of your files, and err on the side of encryption for your daily communications. But for the average consumer—who uses everything from mobile banking to photo storage sites to that app that lets you create an account to translate what nearby ghosts are saying—how are you supposed to keep everything straight and secure without losing your mind?
As the National Institute of Standards and Technology (NIST) was conducting a study on understanding computer users' mental models regarding security, they came to a surprising conclusion. When asking participants about whether they knew the difference between security and privacy, and what words like ransomware mean, the four researchers found a majority of emotional responses; consumers were simply fed up with everything they were required to do to stay secure online.
In an exclusive interview with SecureWorld, NIST researcher Mary Theofanos explains how people make bad decisions or act impulsively if they feel resignation or a loss of control. In this case, these are effects of the "security fatigue" they are experiencing. She saw most people having the mentality of "it won't happen to me" or "it's the bank's responsibility to keep my information secure," and so their security hygiene wasn't in the best state.
When asked if security professionals ever display some of these same symptoms, she says her data, “shows they don’t have the same fear or overwhelming dread." She adds, "they see it as a challenge but also they’re prepared."
So what can be done to transform how normal consumers feel about security practices into the attitudes of the professionals?
It's all about the messaging.
Instead of projecting "don't do this, don't do that or you'll get hacked," the message needs to be "do this, do that and you'll be protected." It's much easier to form habits based on positive and proactive decision making than fear-based requirements (when people really don't want to keep track of 50 different passwords anyway).
Theofanos also says we're asking consumers to make too many decisions about their security practices. We need to, "make it easier for them to make the right decisions in these circumstances” by having certain software and algorithms make some of the choices for them.
“Everybody needs to play their part to make this infrastructure secure," she says. One participant likened cybersecurity to locking your car each time you leave it, which has become common sense and habitual.
