NIST: People have given up on cybersecurity – it's too much hassle

Online security for the general public is just too much bother. According to a study released on Tuesday by the US National Institute of Standards and Technology (NIST) and published in IEEE's IT Professional, people are overwhelmed with messages about online perils and have just given up.

The result, as the study puts it, is security fatigue that leads to risky behavior. Mulling the possibility of a compromised account, one survey participant remarked, "It is not the end of the world. If something happens it is going to happen."

That attitude might go unnoticed on Yahoo's security team, but it concerns Mary Theofanos, a computer scientist in the material measurement laboratory at NIST and lead author of the report.

In a phone interview with The Register, Theofanos said she and her colleagues interviewed about 40 people to understand how non-technical people think about computer security.

That's not exactly a significant sample. But Theofanos said the study was qualitative rather than quantitative, with interviews lasting 45 minutes to an hour for each person.

"The idea was to inform our team of the baseline," Theofanos said, noting that the intent was to advance the goals of the National Initiative for Cybersecurity Education (NICE).

The interview participants revealed an unexpected level of fatalism and resignation. "We were reading through the results and we saw this overwhelming sense of not being able to keep up," said Theofanos.

People believe that security has become too complex and they don't see the benefit of making an effort, Theofanos explained.

Some interviewees appear to be under the impression that they don't have any information worth stealing. One respondent said, "I don't work for the State Department, and I am not sending sensitive information in an email. So, if you want to steal the message about [how] I made blueberry muffins over the weekend, then go ahead and steal that."

Theofanos said the attitude was different among the few subjects who had actual experience with cyber crime. "Some had experienced identity theft problems, as they described it," she said. "They were much more aware of security."

To help change people's mental models so that they will participate in cybersecurity, Theofanos said technology professionals have to do more work for the people using their products, so that people don't need to make too many decisions. "We need to make it easy for them to do the right thing," she said. "We need to make these things habits, so they don't really have to think about it."

Thinking about these issues just doesn't produce great results, it seems. ®