Choice Fatigue Might Affect Information Security Decisions

Mental exhaustion from making repeated decisions can lead humans to avoid choices that require additional thinking, which often involves maintaining the status quo. This tendency may result in security and risk choices being influenced by extraneous variables that should be irrelevant to the decision.

Parole Hearings and Meals

In a paper titled Extraneous Factors in Judicial Decisions, the researchers found that judges were more likely to grant parole when the hearing was held shortly after a meal. More specifically,

“The likelihood of a favorable ruling is greater at the very beginning of the work day or after a food break than later in the sequence of cases.”

The researchers concluded that “when judges make repeated rulings, they show an increased tendency to rule in favor of the status quo.” Though the behavior could be the result of lower blood glucose levels, researchers attributed the tendency primarily to mental depletion. A brain tired of making choices might shun additional workload by simply maintaining the status quo—which meant denying parole requests after hearing a certain number of cases.

Making Decisions Is Tiring

An earlier study titled Choice Fatigue: The Effect of Making Previous Choices on Decision Making explored the extent to which humans tire of making decisions. The researchers concluded that “decision outcomes are dependent on the number of previous decisions made.” More specifically,

“Making more decisions prior to a particular decision increases the likelihood of abstention from the decision as well as the reliance on heuristics (such as choosing the status-quo) in decision-making.”

The researchers coined the term choice fatigue to describe the effects of mental exertion experienced after making repeated choices.

Potential Information Security Implications

Information security professionals make choices on regular basis. These include:

  • Is the severity of the vulnerability too low to justify patching it?
  • Is the alert issued by an intrusion detection system a false positive?
  • Should a particular service be disabled when locking down a server?
  • Is a 14-character password sufficiently long for the situation?
  • Is the security policy document sufficiently descriptive?

After numerous risk-related choices during the day, choice fatigue may lead to easier making decisions that eliminate the need for further mental processing, such as deeming the vulnerability irrelevant or labeling an alert a false positive. The individuals most likely to be affected by this may be those in operational roles that demand continued oversight of security events. Forensics specialists sifting through large amounts of data might also be affected by choice fatigue.

So, don’t let choice fatigue get you. Take a break now :-)

For more thoughts along these lines, see The Reason For All Information Security Woes… Sleep Deprivation.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more