Choice Fatigue Might Affect Information Security Decisions

Mental exhaustion from making repeated decisions can lead humans to avoid choices that require additional thinking, which often involves maintaining the status quo. This tendency may result in security and risk choices being influenced by extraneous variables that should be irrelevant to the decision.

Parole Hearings and Meals

In a paper titled Extraneous Factors in Judicial Decisions, the researchers found that judges were more likely to grant parole when the hearing was held shortly after a meal. More specifically,

"The likelihood of a favorable ruling is greater at the very beginning of the work day or after a food break than later in the sequence of cases."

The researchers concluded that "when judges make repeated rulings, they show an increased tendency to rule in favor of the status quo." Though the behavior could be the result of lower blood glucose levels, researchers attributed the tendency primarily to mental depletion. A brain tired of making choices might shun additional workload by simply maintaining the status quo—which meant denying parole requests after hearing a certain number of cases.

Making Decisions Is Tiring

An earlier study titled Choice Fatigue: The Effect of Making Previous Choices on Decision Making explored the extent to which humans tire of making decisions. The researchers concluded that "decision outcomes are dependent on the number of previous decisions made." More specifically,

"Making more decisions prior to a particular decision increases the likelihood of abstention from the decision as well as the reliance on heuristics (such as choosing the status-quo) in decision-making."

The researchers coined the term choice fatigue to describe the effects of mental exertion experienced after making repeated choices.

Potential Information Security Implications

Information security professionals make choices on regular basis. These include:

  • Is the severity of the vulnerability too low to justify patching it?
  • Is the alert issued by an intrusion detection system a false positive?
  • Should a particular service be disabled when locking down a server?
  • Is a 14-character password sufficiently long for the situation?
  • Is the security policy document sufficiently descriptive?

After numerous risk-related choices during the day, choice fatigue may lead to easier making decisions that eliminate the need for further mental processing, such as deeming the vulnerability irrelevant or labeling an alert a false positive. The individuals most likely to be affected by this may be those in operational roles that demand continued oversight of security events. Forensics specialists sifting through large amounts of data might also be affected by choice fatigue.

So, don’t let choice fatigue get you. Take a break now :-)

For more thoughts along these lines, see The Reason For All Information Security Woes… Sleep Deprivation.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more