Information security fatigue: when does enough become too much?
New research examines how information security overload can lead to fatigue and complacency in even the best employees
Though the capabilities of enterprise technology continue to advance with each passing year, the fundamental role that users play in securing complex systems has remained virtually unchanged. Decades after the creation of the most common operating systems, users still typically log in via the same basic authentication model — identity nomenclature plus password — that existed at the time the first version came to life. Indeed, rather than advancing to a more simplified security paradigm, users typically find themselves struggling with a plethora of identities, passwords, token devices, etc.— each one adding the security tasks needed to protect devices, enterprise systems, and data.
In many other contexts such as medicine and law enforcement, the impact of adhering to such complex protocols and procedures is studied carefully in order to understand the psychological burden they place on affected parties. Moreover, we understand that various forms of decision fatigue can arise in settings with high compliance efforts. Thus, it is not surprising to find that NIST researchers documented the existence of information security fatigue (henceforth, “security fatigue”) in a 2016 study looking at general user attitudes toward cybersecurity. Interestingly, a new paper from W. Alec Cram (Waterloo), Jeffrey G. Proudfoot (Bentley), and John D'Arcy (Delaware) takes the first structured look at the dynamics, causes, and consequences of this phenomenon.
For their research, the authors define security fatigue as a “socio-emotional state experienced by an individual who is tired and disillusioned with security policy requirements.” In a world overloaded with hacker warnings and information security advice, it is not hard to imagine someone feeling “worn out by security policy requirements and accompanying controls, to the point that their compliance declines.” However, it is important to note that workers who feel security fatigue are not the same as those who demonstrate security indifference; indeed, security fatigue may affect employees who at a prior time were models of correct security behavior, which makes understanding the phenomenon even more important. Unlike indifferent workers, the authors clarify upfront, fatigued employees “are weary of, and worn out by, the demands imposed by security policy requirements.”
We know that a large percentage of security breaches can be traced back to employee behavior. Consequently, if security fatigue is a factor in these scenarios, it is an issue that should be studied and understood.
In designing their study, the authors set out to examine two principal questions:
How do employees become fatigued by security policy requirements?
How does security fatigue affect thier security policy compliance
To answer these questions the authors conducted 38 interviews that were coordinated with local chapters of the Information Systems Audit and Control Association (ISACA) and the information security organization (ISC)². The interviewees were professionals from business and IT departments, including end-users and IT staff in senior (15 of 38), middle (13 of 38) and junior (10 of 38) roles. Participants worked in a total of 32 companies in eight industries, including healthcare, financial services, education, IT, and professional services.
The authors note that “capturing the combined perspectives of end-users, IT practitioners and those at the management level facilitates a more accurate assessment of the potential linkages between security fatigue and aspects of security policy compliance.” In all, the authors collected and analyzed over 600 pages of responses to the questions presented.
The authors find that consistent patterns emerged from their research, starting with an emphatic reaffirmation that security fatigue is a real and problematic phenomenon comprised of three dimensions: frustration, tiredness, and hopelessness.
Frustration arose when workers believed that the security protocols they needed to fulfill were “tedious and prevented them from doing their work.” As one respondent stated:
Anybody who got a new computer, you could not download anything without admin approval. You had to go and have an admin type in their password to your computer to download anything, like Spotify. It was a giant pain and it was really frustrating and it is frustrating for anyone who is at the associate and analyst level because if they want to download something they have to go and get it approved by the admin.
Tiredness is different from frustration. Rather than being upset by company security policies, employees described a feeling of weariness because company policies were “endless” or could “never be fully satisfied.” For example:
I would say that the end users for the worksheets and the Microsoft Access databases and things like that, they are a little tired of compliance measures with change management and passwords and things like that, which are required for a public company.
Finally, the third fatigue dimension, hopelessness, refers to a feeling of being unable— on their own—to make any appreciable difference regarding security. In essence, note the authors, the employees simply ‘give up’ trying to complete all of the tasks requested of them. As one respondent stated:
I do begin to feel a little hopeless at times. I want to be more secure, but I read stuff and I begin to think, well what in the world can I do? I feel that I am so exposed and surveilled constantly; that it is not fatigue like ‘I don’t care’; it is fatigue like hopelessness. (Manager, Financial Services)
Interestingly, some aspects of information security, such as password management and information access rules, produced more fatigue than others:
Let’s take that end-point solution. It requires a user to click and say yes or no or allow it or not. And I see this on my own. I will get all these warnings that are coming out from the solution that I am using on my own computer and I don’t know which ones are good or not and I am a security guy. So an end-point user will continue to click yes, yes, yes. (CEO, Technology)
Overall, the research suggests that (a) security fatigue plays a real role in the failure to adhere to IT security standards and that (b) it takes various forms related to different aspects of security regimes.
The authors conclude that the most essential driver of fatigue is the “general inconvenience of security policy requirements.” A total of 24 interviewees made comments related to this category, most commonly in relation to the disruption that various security policy requirements have on productivity (which has been studied from a number of perspectives already within the IS security literature). Although most employees recognized that security is generally important, it seems that they become increasingly frustrated when security actions materially and negatively impact their productivity. For example:
Obviously if you are rushing through to get something done at the last minute, and you are really busy and then you find out that there is this hurdle that you need to go through because of a security measure, in that moment, it can be very frustrating, and I have definitely had experiences where it has been frustrating because I have been in a hurry. (Technology Consultant, Professional Services).
The second driver of fatigue concerns the “perceived legitimacy” of security policies. Put simply, fatigue appeared when security policy requirements were viewed as unfair, unreasonable, or unjust. A total of 19 interviewees made comments related to this category. These sentiments “commonly revolved around the requirement to adhere to security guidelines and procedures that employees did not feel applied to them, training that they viewed as being a waste of time and security activities that were thought to be unnecessary.” As one nurse noted:
It was a hassle having to have so many different passwords. And that was when I was like, can’t I just have the same password for everything? Why do I have to have three different passwords for everything? (Nurse Practitioner, Healthcare)
The third driver is related to the quantity of security policy communications and activities. In this dimension, employees explained that when they received too many security-related requests, they became increasingly unable to process the information. As expected, when employees reached their capacity to process security-related communications and activities, they simply lose the ability to make good choices. For example, as several interviewees told the authors:
I also get a lot of the emails of the phishing attacks from [my employer] and my first inclination is to just click and delete. I think we get way too much information and because of that I have a large habit to just delete any email that I get. (Software Engineer, Technology)
Lastly, the fourth driver deals with the communication of security policy requirements. Employees explained that the “length, style, format, medium and clarity of security policy communications and activities could cause fatigue.” For example, security policies that were too long, written with too much jargon, or always sent through the same distribution medium could generate fatigue in workers. Two interviewees described this issue as follows:
I think the IT security policies have gotten way too long and people don’t pay attention to them. Mostly because we have to make them long to meet some compliance regulation…but now they’ve become so long that people just don’t pay attention. (IT Director, Healthcare)
Of course, it is not hard to imagine what happens when security fatigue sets in, and the authors detail three major consequences produced by the condition:
Employees knowingly—though non-maliciously—violate security policies as a result of their fatigue by simply tuning out (e.g., not reading) the policy guidelines and procedures and doing nothing.
Employees actively attempt to circumvent security policy guidelines and procedures and take actions that enable them to avoid being constrained by a security policy in whole or in part.
Employees attempt to take the quickest and easiest action necessary to fulfill the absolute minimum security policy requirement, even if doing so is in violation of the basic intent of the policy. One respondent summarized this third outcome thus:
I think that there is fatigue pretty much everywhere, which is why you see people like me who create very simple passwords and just change one character at a time and increment them just to get rid of that fatigue and make it a bit easier. (Consultant, Professional Services).
A worrisome finding in the study is that employees often rationalized their behavior as either appropriate or as only a “minor transgression.” Indeed, the authors conclude that “for those employees who are experiencing security fatigue, there appears to be an increased likelihood that they will ignore security policy requirements, utilize policy workarounds and reduce their level of security policy compliance effort.” This finding reinforces other research that concludes employees who are overwhelmed by information security tasks often “disengage morally” from their violations, which in turn increases their future susceptibility to the same behavior.
It is important to note that this is the first formal research study to analyze the causes and mechanics of security fatigue in workplace settings. Therefore, as the authors readily admit, its findings require further investigation before one can consider them definitive. Still, the consistency of the respondent perspectives across multiple roles, seniority levels, and industries suggests that the authors have hit upon a problem worth further consideration. It also recalls other research I have previously featured in Thematiks that looked carefully at the relationship between fear and efficacy in information security non-compliance. Similar to that effort, this study emphasizes that “compliance behavior is not an ‘all or nothing’ proposition for employees.” On the contrary, “behavioral consequences stemming from security fatigue can be thought of as employees’ decreasing self-control in terms of their ability to comply with security policies as they should.” Moreover, “this pattern is consistent with the more general decision-fatigue phenomenon in which our security fatigue construct is grounded.”
This research provides novel insight into why and how some well-intentioned employees may stray from the path of security compliance, as well as specific recommendations for organizations to consider in response. The bottom line from this first look at security fatigue is a simple one. As much as employees may want to be “good citizens,” organizational security regimes that engender frustration, exhaustion, or lack of personal efficacy seem to create new problems even as they solve others. Indeed, perhaps the big takeaway from this study is that any well-designed information security program should carefully balance the positive effects of security protocols, training, and messaging with the adverse effects that can arise when employees feel overwhelmed by information they cannot process, actions they will not take, and power they (may believe) they do not have.
Cram, WA, Proudfoot, JG, and D'Arcy, J. When enough is enough: Investigating the antecedents and consequences of information security fatigue. Information Systems Journal. 2021; 31: 521– 549. https://doi.org/10.1111/isj.12319