I’ll admit it, I don’t know which password manager I should use. I spent a significant amount of time a couple of weeks ago doing a risk assessment on the use of kernel-level anti-cheat by the games in my Steam library, I’m exhausted by the information overload that comes into my bubble whenever I have to log into any aspect of our digital world that isn’t my own machine – and I don’t even work in cybersecurity.
For every new tool there is a new log in, for every program there is a new interface, for every ugly opt-in email there is an additional level of unease.
When we talk about cybersecurity fatigue, we’re usually talking about people getting complacent, hitting confirm on an MFA notification out of habit and frustration, or clicking on a seemingly trustworthy email in their inbox and sparking a cyber attack. In these circumstances, boredom and carelessness lead to business chaos. While the headlines go to data breaches – and goodness, are there a lot of big data breaches – the daily consistency of keeping our digital selves safe is where the pressure lies.
A security chain is only as strong as its weakest link and, to borrow from a certain British television program, it's often the company’s legacy that has to say goodbye if that link is broken.
However, that top-down view of cyber security as business critical infrastructure doesn’t help your everyday user, nor your not-particularly-tech-savvy employee who is just trying to answer customer service tickets without creating an international incident. I think that overwhelm we feel in our daily cyber lives, even something as simple as the uncertainty when the Playstation Network goes down yet again, bleeds into the rest of our approach to digital citizenry.
The most dangerous part? When you’re overwhelmed about something, when it feels like you have no hope in understanding its generalities let alone its nuances, that raises the risk of a breach.
Stepping away from the tech world for a second, part of the reason we see media literacy rates on the decline is because there is just so much content and that content is, a lot of the time, distressing. Why read the news if it’s just going to distress you? The same principle impacts cybersecurity fundamentals. Why learn to protect your data beyond the absolute basics if a) you don’t understand how anything works and b) the loss of that data feels inevitable?
To add another example to the pile: part of the reason privacy has eroded over the last two decades is because we’ve given up so much of it for simplicity and convenience, but also because to understand the true risks being taken is to feed into our overwhelm.
That’s why I look for antidotes, like this video by YouTuber Tom Scott about the use of lava lamps to enable part of CloudFlare’s security infrastructure. I love the duality of it, watching the calming ease of lava lamps flowing, oblivious to their role of maintaining the sanctity of the internet while an expert talks about the importance of these items, little more than dorm decor, in that process. That visual metaphor, from one of the internet’s greatest storytellers, is an apt one for how to decrease our overwhelm when it comes to cybersecurity.
We can take little steps to, as odd as it sounds, find joy in our cybersecurity. How? Well, you could be like Jason Thor Hall of Pirate Software who uses steganography for his passwords and shows this to his Twitch audience. Alternatively, and perhaps slightly more sensibly, you could play something like The Password Game – yes, really, that exists – to give you (or the cybersecurity overwhelmed person in your life) the opportunity to engage with password complexity in a fun way.
As readers of this column are likely already aware, I write about accessibility a lot. One of the best tools to help people implement alt text, a description that helps those using screen readers understand what an image means, is a project called Alt Text as Poetry. Being able to take alt text out of the convoluted worlds of UI and UX design, and into the realm of creative expression, really helps open folks up to the ability to create more access in a way that feels more inviting and less strenuous.
At the same time, I don’t think we can get away from the fact that our security systems are only becoming more complex. The initial confusion over the causes and impact of any catastrophic cyber incident can only add to the chaos when it’s brought into the public eye in a digestible way.
So, to my mind this requires a balance. You need your workers to know how to protect themselves as best they can, to feel safe flagging up any concerns to a manager, and give them channels to suggest how to improve processes even if cybersecurity isn’t their regular day job. Regardless of the industry, it is a requirement that today’s workers understand how phishing might compromise an inbox or the limits of two-factor authentication.
What I think we need to be careful about is making sure that the overwhelm doesn’t lead to nihilism. If you think that data is good as gone, you might start acting like it. On the other hand, if security fundamentals can be integrated into other tasks, like playing a game focused on passwords, it feels like there can be a little bit more hope and a little less frustration.
