News & Insights  |  Newsletters

Consumer Cyber Fatigue: Concerns Implicate IoT, Mobile Privacy, and Security

October 2016
Privacy in Focus

The National Institute of Standards and Technology (NIST) researchers have noticed something the private sector has known for a while: Consumers get tired of being asked to remember ever-lengthier and changing passwords, use two-factor authentication, and answer challenge questions. As policymakers look to privacy and security in various settings, including mobile, broadband and Internet of Things (IoT), connected cars, and other areas, security must be user friendly and flexible.

In a recent post, NIST highlights a study with surprising—if common-sense—results. Inundated with information about security breaches, as well as advice about mitigations, “a majority of the typical computer users” had “experienced security fatigue that often leads users to risky computing behavior at work and in their personal lives.” (The study is published in IT Pro, Sept./Oct. 2016.)

Researchers found that consumer behavior seen as “irrational” to security experts may be reasonable given consumers’ overload and lack of confidence that burdensome steps will protect them from a barrage of attacks that seem like someone else’s responsibility.

This finding validates comments filed in the Federal Communications Commission’s (FCC) recent broadband privacy proceeding, in which the agency proposed a variety of prescriptive security obligations that overlooked varied consumer preferences and evolving approaches. As one commenter, Consumers’ Research, noted, “over-notification is not just irritating,” it can harm consumers by “making them less likely to pay attention.” Consumers’ Research Comments, FCC Dkt No. 16-106. The tech sector shares those concerns: Repeated notices leave consumers “desensitized, tuned out and unable to differentiate” between important and less important information. Consumer Technology Association Comments, Dkt. No. 16-106. It is better to leave solutions to the market and avoid mandates that lead to over-notification or lock in static solutions.

NIST researchers suggested three principles that might help combat consumer security fatigue: “limit the decisions users have to make related to security; make it easy for users to do the right thing related to security; and provide consistency (whenever possible) in the decisions users need to make.” These principles can help the private sector, but should not drive government mandates or limitations on choice. User groups will have different needs, preferences, and abilities. As a result, authentication technologies (from biometrics to adaptive authentication to multifactor) are evolving to address these concerns. Each solution has its own tradeoffs, so enterprises and consumers should have flexibility.

In the end, NIST should look to the role that sustained, clear consumer education could play to combat these trends. This study reinforces how challenging this area is, and how poorly suited it is to mandates or single solutions. More research and input will help identify workable solutions that help consumers and improve security.