Choice Fatigue Might Affect Information Security Decisions

Mental exhaustion from making repeated decisions can lead humans to avoid choices that require additional thinking, which often involves maintaining the status quo. This tendency may result in security and risk choices being influenced by extraneous variables that should be irrelevant to the decision.

Parole Hearings and Meals

In a paper titled Extraneous Factors in Judicial Decisions, the researchers found that judges were more likely to grant parole when the hearing was held shortly after a meal. More specifically,

“The likelihood of a favorable ruling is greater at the very beginning of the work day or after a food break than later in the sequence of cases.”

The researchers concluded that “when judges make repeated rulings, they show an increased tendency to rule in favor of the status quo.” Though the behavior could be the result of lower blood glucose levels, researchers attributed the tendency primarily to mental depletion. A brain tired of making choices might shun additional workload by simply maintaining the status quo—which meant denying parole requests after hearing a certain number of cases.

Making Decisions Is Tiring

An earlier study titled Choice Fatigue: The Effect of Making Previous Choices on Decision Making explored the extent to which humans tire of making decisions. The researchers concluded that “decision outcomes are dependent on the number of previous decisions made.” More specifically,

“Making more decisions prior to a particular decision increases the likelihood of abstention from the decision as well as the reliance on heuristics (such as choosing the status-quo) in decision-making.”

The researchers coined the term choice fatigue to describe the effects of mental exertion experienced after making repeated choices.

Potential Information Security Implications

Information security professionals make choices on regular basis. These include:

  • Is the severity of the vulnerability too low to justify patching it?
  • Is the alert issued by an intrusion detection system a false positive?
  • Should a particular service be disabled when locking down a server?
  • Is a 14-character password sufficiently long for the situation?
  • Is the security policy document sufficiently descriptive?

After numerous risk-related choices during the day, choice fatigue may lead to easier making decisions that eliminate the need for further mental processing, such as deeming the vulnerability irrelevant or labeling an alert a false positive. The individuals most likely to be affected by this may be those in operational roles that demand continued oversight of security events. Forensics specialists sifting through large amounts of data might also be affected by choice fatigue.

So, don’t let choice fatigue get you. Take a break now :-)

For more thoughts along these lines, see The Reason For All Information Security Woes… Sleep Deprivation.


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more