General security

Fighting Security Fatigue: 10 Steps for Detection & Prevention

July 26, 2018 by Susan Morrow

In 2017, there was a doubling of cybersecurity attacks. We witnessed and personally felt the impact of major incidents that hit some of our largest corporations, including Equifax and Uber. And this constant exposure to cybersecurity incidents has an effect on our psychology.

Research has shown that human beings have a tendency to remember the bad rather than the good. The trouble with this is that we end up in a situation where we feel disempowered by events, and eventually, we just stop caring. This is being reflected in the security industry by a phenomenon known as ‘security fatigue.”

What is Security Fatigue?

A study published in IT Professional looked at various aspects of security fatigue. In the study, the participants described feelings of “fatalism,” “risk avoidance” and “loss of control.” It’s likely that if you are reading this, you can relate to any or all of those feelings in terms of the current cybersecurity climate.

The ultimate result of these feelings is to practice risky behavior. And with risky behavior comes more security issues and, in turn, increased security fatigue. You can see the vicious circle closing in.

To break out of this circle, we need to use strategies to give back the control and stop the fatigue from setting in.

10 Steps to Detect and Prevent a Cyber Incident

These 10 steps offer ways of getting that control back and making cybersecurity less of a worry.

1. How Do We Solve a Problem Like Passwords?

Password fatigue is a well-known phenomenon. In the study mentioned above, participants stated “I get tired of remembering my username and passwords.” In a world where business users have, on average, 191 passwords, and where 81% of breaches are due to password exposure, fatigue can very quickly set in.

Options to reduce password stress in a given system need to be explored. There are a number of ways of doing this which are dependent on the environment. They include:

    1. Single Sign On (SSO) across applications. This can be shored up using risk-based authentication, which applies rules to control access
    2. Password managers (although these applications are only currently used by around 12% of users)
    3. Passwordless authentication (an increasingly-used mechanism to remove passwords based on behavior profiling)

2. Fit for Phishing

As mentioned above, fatigue is often associated with lack of control. Giving users back control can be achieved through education. Phishing is a favorite tool of hackers, with 76% of organizations being phished in 2017. Phishing simulation exercises allow your wider user base, including employees, to be trained in spotting the subtle signs of phishing. This simple method can put that feeling of being in control of security back in your users’ hands.

3. Secure Connections

WiFi can be the silent entry point for hackers, so make sure your user base is as safe as can be. Remove obvious vulnerable areas by methods such as using an inconspicuous SSID, implementing robust authentication, including “enterprise mode,” applying server-side verification to prevent Man-in-the-Middle, and using a wireless intrusion detection system (WIDS).

4. A Patch in Time

In 2017, a total of 14,712 known vulnerabilities were identified. Keep on top of these software flaws by ensuring software and IoT devices are patched in a timely manner.

5. Second Nature

Human fallibility is behind many security breaches, including those described as non-malicious insider threats. Making security second nature is one way to remove the creeping concerns that fill our days with regards to security. This is achieved by making security (and privacy) part of our corporate culture.

In addition, it’s important to ensure that people are aware of what constitutes a possible security issue in their day-to-day work. Security awareness programs can be tailored to the nature of your business and to your employees’ specific needs.

6. Second Nature, Part 2

Integrating security with processes ultimately removes the constant vigilance needed to mitigate risks. One way to do this is to use a robust second-factor credential wherever possible. Two-factor authentication, or 2FA, requires that when a user logs in they have to enter a second credential, e.g. a code received on a mobile device or via email. This helps to alleviate phishing attempts, because even if a password is stolen, the phisher would need the second factor to gain access.

There are a number of 2FA options available, but the important thing is to ensure that they are implemented correctly as some second-factor methods, such as SMS text codes, can potentially be hacked.

7. If in Doubt — Outsource

Cybersecurity specialists are in demand, with 70% of organizations citing a need for employees with those skills. This is driving salaries up and making those with cybersecurity skills much sought after. If your organization is struggling to recruit, you can turn to managed security services. (In fact, the managed security services sector is going to be worth $47.65 Billion by 2023 because of this skills gap.) If you can outsource some or all of your security, it will help to de-risk your company and de-stress your employees.

8. Tidy Desk, Tidy Mind

Having a clean-desk policy, where employees make sure that their desk is tidy at the end of the day, can help to alleviate security issues such as password exposure. 42% of people write passwords down on a piece of paper or in their phone. Making sure that Post-It notes with passwords aren’t left on a desk will help to prevent a breach and relieve security fatigue.

9. No Ransom

2017 seemed to be the year of ransomware, with a company struck by ransomware every 40 seconds. Protect your organization from the worst nightmares of ransomware by using secure backups of your data.

10. Getting Closure

If employees or customers move on, close their accounts down. Old, unused accounts can become perfect targets for cybercriminals. In addition, the old accounts of ex-employees, unless closed, can leave an open hole in your system to allow possible data exposure.


Security fatigue is a real problem that is affecting more people as the breaches continue to escalate. The vicious circle of breach-fatigue-failure to act-breach-repeat has to be broken by detection and prevention. These 10 steps can help to remove the more obvious areas where security issues sneak in.

By doing everything we can across our organization to mitigate the risks of a cyber-attack, we begin to make our companies safer. By doing so, we make them a better place to work and we help to de-stress a complex situation. In the end, it’s all about giving back control to individuals and allowing them to feel as if they can make a difference.


Online Trust Alliance Reports Doubling of Cyber Incidents in 2017, Online Trust Alliance
New Study Suggests we Remember the Bad Times Better than the Good, Association for Psychological Science
LastPass Reveals 8 Truths about Passwords in the New Password Exposé, LastPass
Password management and mobile security, Pew Research
Is Passwordless Authentication More Secure Than Passwords?, Auth0
Report: 76% of Organizations Experienced Phishing Attacks in 2017, The State of Security
Security Vulnerabilities Published in 2017, CVE Details
This is why you shouldn’t use texts for two-factor authentication, The Verge
Demand for cyber security skills outstrips internal supply, research finds, Computer Weekly
Managed Security Services Market worth 45.65 Billion USD by 2023, Markets and Markets
Must-Know Ransomware Statistics 2017, Barkly

  1. Stanton, M. F. Theofanos, S. S. Prettyman and S. Furman, “Security Fatigue,” IT Professional
Posted: July 26, 2018
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.