My guess is that outside of the 'cyber security bubble', the concept of "security fatigue" comes as no surprise. Indeed as someone who is looking out from the bubble, I too can concur with this sentiment.
In my opinion, whilst huge sums of are being invested in ever more elaborate solutions for the security teams within enterprise IT departments, there is very little evidence that much is changing for the end user/consumer.
With users so often considered the weakest link remarkably little imagination goes into training solutions. Go to any cyber security trade show and look for innovative approaches to providing security awareness education. Its not really considered sexy which is why most messages are repetitive and the education often dry and/or patronising. Indeed there is a sort of prevailing "how hard can it be?" attitude, whereby we are continuously bombarded with messages about strong passwords, software updates and the need to be vigilant with our email.
That said, last week I was speaking with an associate of mine who works for a global enterprise. She explained how they were looking at increasingly innovative ways of driving the message home. For example the use of gamification and other 'millennial' friendly techniques that capture the imagination rather than force their intended audience to tune out.
It is to be hoped that the techniques being developed here could become the norm, will filter down to the rest of us and ultimately help us all establish an unconscious competence when it comes to staying secure. With so many aspects of our lives now governed by what we do online, maybe we will ultimately evolve an innate, sixth sense that will ensure we no longer have to be educated, we just know!
Responses from interviewees revealed that many were fatalistic about what they could do to avoid being attacked and many were resigned to being caught out at some point. Many questioned why they would be targeted by malicious hackers given that they did not work for a sensitive government department or for a finance company. Few could name a friend of relative that had been hit by a hack attack.Others asked how they could possibly be expected to stay safe when massive corporations that spent huge sums on security were regularly caught out. The NIST said it was planning a follow-up study with people who worked in the technology sector to gauge their feelings about security and to find out if they felt overwhelmed to the same degree.