Research on IS security behavior regularly identifies individuals’ personal characteristics as the reason why users refrain from adequate safeguarding techniques and ignore recommended security responses. This study aims to extend this body of literature, and sheds light on the concept of security fatigue: hereby, users receive numerous message cues reporting recent security risks and recommending certain response behaviors. However, instead of fostering awareness among individuals, users are too exhausted to follow these security recommendations. This setback may result in a lack of adequate response behavior and personal information systems being vulnerable to future threats. This paper builds on the theory of self-regulation, which is essential for successful risk avoidance behavior, as well as the concept of ego-depletion resulting from a high amount of self-regulatory activities. A measurement instrument for security fatigue is adopted, based on self-regulatory theory. Perceived information overload and locus of control are further tested to determine the level of security fatigue. In two consecutive online surveys, we pre-test the validity of the context adapted scales. Conducting a follow-up study to validate our conceptual research model, we conclude that subjective information overload is the most critical cause of security fatigue and a lack of adequate security behavior.