A widely shared survey last week called attention to the growing number of end-users who feel "security fatigue" related to their responsibilities around staying protected from cyberattacks.
The respondents to the study, conducted by the U.S.-based nonprofit NIST, expressed sentiments of "weariness and reluctance" when it comes to dealing with computer security both at home and in the workplace, primarily because they continually feel besieged by warnings and requests.
"When asked to make more computer security decisions than they are able to manage, they experience decision fatigue, which leads to security fatigue," NIST said. "Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively and failing to follow security rules."
While this news may be disconcerting for security professionals, it should not come as much of a surprise. Researchers have been sounding the alarm for years about the burdensome costs felt by end-users to practice protection and how many of them actually make a "rational" decision to spurn security advice and training - even though the human element is widely considered the weakest link in an organization and responsible for a large majority of breaches.
So what options exist for organizations to ensure that their employees aren't going to sleep on infosec? Here are five recommendations that will help cultivate a more alert and accommodating user base - and lead to a more mature security program overall.
If your users view security as a disruption that requires them to jump through too many hoops to do their jobs, they will eschew it and work around certain controls to even further expose your organization to harm. Your job as a security professional is to find a way to keep the company protected while simultaneously acting as an enabler who recognizes the need for worker productivity.
Never mind security fatigue, users can also experience "training fatigue" if your awareness efforts are throwing too much at them, too often. Instead you should identify themes that matter most to your organization and will result in the greatest reduction of risk - keeping in mind that each department faces different risks.
One way to avoid security fatigue is to never have to worry about it in the first place, meaning you catch oversights and weaknesses before criminals are able to use them against your users. You can accomplish this by implementing secure development practices (and avoiding a rush to market new projects), as well as by security testing your databases, networks and applications.
The inevitable attacks will make their way through, which is why disproportionately focusing on prevention is a fast-pass to cyber mayhem. Instead, you need to also invest in detection and response so that you can identify threats that are already inside your environment and methodically react to them before real damage can be carried out.
The IT department isn't immune to security fatigue either, or security pressures for that matter. If you find yourself trying to compensate for shortages in time, skills and expertise - and spreading yourself thin to invest what available resources you do have - it may be time to consider outside help. Partnering with a managed security services provider can assist you in a multitude of ways.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.