Security fatigue is something infosec pros (hopefully) don’t suffer from, but apparently it is an ailment that is spreading among the general public — at least according to a study released this week.

The study, done for the U.S. National Institute of Standards and Technology (NIST), defined security fatigue as a weariness or reluctance to deal with computer security. As one of the study’s research was quoted as saying, “I don’t pay any attention to those things anymore … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

The worry is that this leads to risky behaviour, and that costs organizations.

A number of people have jumped on the study because this finding wasn’t among the purposes of survey. “We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” computer scientist and co-author Mary Theofanos is quoted as saying.

But among the things the results have boiled down to is frustration with the number of passwords online users have to create and keep control of.  Among the quotes from those surveyed were

• “I get tired of remembering my username and passwords.”
• “I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.
• “It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.”

There are other disturbing comments from those interviewed, some of which have been uttered by at the C-level execs, including who would attack my and safeguarding data  is someone else’s responsibility.

What makes this report more sensitive is that it comes out during Cyber Security Awareness Month, when governments and infosec pros are trying to spread the word about users’ responsibility in the security chain.

First, remember this was a survey of 40 people. When vendors pitch me surveys of infosec pros that small I hesitate to put them into print with such a small sample. But let’s assume it’s true. What can infosec pros who design security systems and policies do about it? Particularly when best practices say security awareness training should be done regularly through the year?

NIST makes three suggestions to start:

1. Limit the number of security decisions users need to make;
2. Make it simple for users to choose the right security action; and
3. Design for consistent decision making whenever possible.

When it comes to passwords, if your organization hasn’t yet adopted an enterprise-grade password manager and/or a single sign-on solution you’re behind the curve. “People are much more likely to have stronger passwords is they have fewer of them,” Michael Argast, Telus’ director of business strategy, pointed out in a recent interview.

There are infosec pros who despair of awareness training, complaining a small but significant number of people still do foolishing things — perhaps suffering from security fatigue? — but Argast says “well-designed, well-targeted and well-communicated training is incredibly effective … “the purpose of awareness training is not to make it perfect,” he added, “but to reduce the odds” of compromise.

He also said one of the biggest mistakes organizations make is to treat users as the enemy — they look at user failure as a problem of the user rather than of the security systems and policies to make it easier for users to do the right thing. Some two-factor authentication solutions can make things easier for employees, he said. And organizations may be too aggressive in certain policies: It may not be necessary to change passwords every 30 days, for example. More important is to have users chose secure passwords.

Finally, note that former U.S. secretary of Homeland Security Michael Chertoff, who’s now chairman of The Chertoff Group,  a security and risk-management consulting firm, this month called for Washington to make it a “national priority” to replace passwords with something better, “leveraging the next generation of authentication technologies to authenticate identities in a way that is both stronger than passwords and also easier for people to use.”