Let’s see. New password. QWERTYqwerty! No? Can’t repeat passwords used the last six times? OMG. Ok. !2016Drowssap! Rejected. I’m gonna have to actually figure out another password. MoYi6!erdty. Bingo. I open my drawer, pull out my three-page list of accounts and associated passwords, and record it. It’s not really exhausting, but c’mon. Do I really have to change my excellent passwords again and again and again? I just changed it like . . . 60 days ago. Seems like yesterday. It was, in a way. Yesterday I had to change my password on my banking account. Tomorrow, health insurance. Computer at work. Computer at home. iPhone . . .
It’s not just one password, it’s twenty or thirty, at least. Given a 90 day rotation, I’m forced to change some one or another password every three or four days. For those accounts that don’t force me, well, not going to happen.
SECURITY FATIGUE
There are all sorts of fatigues out there. Chronic Fatigue Syndrome (CFS). Chronic Fatigue & Immune Dysfunction Syndrome (CFIDS). Post-Viral Fatigue Syndrome (PVFS). Myalgic Encephalopathy (ME). Now, Security Fatigue (SF). Yes, according to B. Stanton, et. al., in IEEE’s IT Professional, it’s a thing. The National Institute of Standards and Technology (NIST) covers it for us.
SF: “a weariness or reluctance to deal with computer security.”
Weariness, yes. Reluctance, a lot of it. I’ve really got this one. It’s no surprise. The report abstract notes that victims of security fatigue “expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance.” That’s me more and more.
SYMPTOMS
These people aren’t joking (they’re not the kind of people who do that). They’re serious. According to the NIST, “The multidisciplinary team learned that the majority of their average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.” Indeed. I think all of this started mid-September 2001, and it hasn’t let up. And it’s exhausting. Terrorism. Hacking. Computer Viruses. Viruses. . . . The outcome: “security fatigue . . . often leads users to risky computing behavior at work and in their personal lives.” Wow. Risky computing behavior. That’s like putting your floppy disc into somebody’s hard drive without first doing a virus scan. Computer promiscuity.
“Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions,” NIST reports, “can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.” Then, all rules go out the window! Anarchy! They don’t say that, but it follows.
YOU’RE NOT TO BLAME
Here’s the good news. It’s not your fault. In a video that accompanies NIST’s report (you’ve seriously got to watch this video), NIST Computer Scientist Mary Frances Theofanos, sitting outside in a bucolic setting next to a pond with traffic zipping back and forth behind her (not relaxing) tells us in a climactic, dramatic moment in the video, “I believe we can have security, and I believe we can have usability.” Then why don’t we have it!
THERE IS HELP
Theofanos indicts her own people. It’s about heartless computer scientists putting too much of a load on users, a load they should be carrying themselves. She says, “I think what has happened today is, people [that’s you, computer scientists] just haven’t considered the user.” Thank you, Mary Frances! Saint Mary Frances to me. She’s taking this burden on herself. She concludes that she and her people can “eliminate some of these decisions for the users. . . . The goal,” she says, “is to help users do the right thing. Make it hard for them to do the wrong thing.”
Ok, I’m flippant . But I think they’re absolutely right. The NEXT big thing will be some sort of app that spits out a new password, automatically records it on your iPhone, and all you have to do is pick the right one. Or something along those lines. Maybe we’re already there.
