Heard it all before: Researchers warn of ‘breach fatigue’

Hacks are now becoming so prevalent that consumers are failing to take corrective action, researchers have claimed

As large-scale hacks become more commonplace, it would be logical to assume that consumers are ramping up their efforts to protect themselves online.

It seems, however, that this is not the case.

A team of researchers from Iowa State University (ISU) and the University of Texas at San Antonio have warned of the dangers of “data breach fatigue” – a paradoxical phenomenon in which the increased prevalence of hacks actually serves to reduce consumers’ motivation to change their behavior.

With so much personal information being digitized and stored online, Rui Chen, an associate professor of information systems in ISU’s Ivy College of Business, said breaches are now the norm for consumers, and breach fatigue creates an ever-growing opportunity for cybercriminals.

“When a data breach happens they’re not motivated to take any corrective or protective action,” Chen said. “They don’t use a stronger password and change it more often or check their credit files. When this happens society pays, and criminals are the only ones who benefit.”

As part of their research into the phenomenon, Chen and his colleagues at the University of Texas scrutinized the public response to the 2015 data breach at the US Office of Personnel Management (OPM), which affected 21.5 million people.

The researchers examined more than 18,000 tweets posted on Twitter over a two-month period that included the hashtag #OPMHack.

While they expected to see fluctuations in social media activity based around subsequent key events – such as the resignation of the OPM director – they instead noted that consumer engagement quickly tapered off.

“The quick drop off in engagement indicates either an acceptance of the breach event or an apathetic tendency toward it, as would be expected with the onset of breach fatigue,” Chen said.

Following the social media study, the research team is now surveying victims of the OPM and Yahoo! hacks to learn more about how data breach fatigue affects behavior.

According to Chen, the work may help improve interventions to change consumer behavior and limit the economic costs associated with these breaches.

“If people don’t care about data breaches, lawmakers will have no motivation to beef up laws to protect against cyber-threats,” he said.