Abstract

Employees today face an ever-expanding array of security demands: frequent password resets, multi-factor authentication, phishing simulations, and mandatory training modules. While each measure is designed to protect organizational assets, their cumulative effect can overwhelm employees, leading to “security fatigue,” a sense of exhaustion, disengagement, and resistance toward security requirements. Although the notion of security fatigue has appeared in practitioner reports and a few recent studies (e.g., Cram et al., 2021; Hsu et al., 2024), the construct remains relatively unexamined in information systems research. We introduce a research program to examine security fatigue through the lens of Conservation of Resources (COR) theory (Hobfoll, 1989) which has been used to examine stress responses and burnout. COR theory posits that individuals work to gain and maintain valued resources such as energy, attention, and time. When resources are depleted, individuals resort to coping strategies that may be maladaptive. Applying these perspectives, we argue that repetitive and burdensome security requirements represent a form of security demand load that drains employee resources, fostering fatigue. Fatigue, in turn, is expected to trigger coping responses such as avoidance (ignoring prompts), rationalization (minimizing risks), or risky workarounds (e.g., password reuse, credential sharing). We use a multi-method approach to examine this phenomenon. First, we will use survey methods to test a model linking security demand load, fatigue, coping responses, and organizational support factors. Second, we will conduct experimental studies manipulating security task frequency and complexity to observe effects on compliance and coping behaviors. The contributions are threefold. Conceptually, this work broadens the research on security fatigue as a distinct construct in IS security behavior research – differentiating it from technostress, security-related stress, privacy fatigue, and burnout. Additionally, we examine it from the perspective of COR, complementing research using the Job Demands-Resources (JD-R) theory and connecting it to resource-based theories of stress. Methodologically, it advances empirical tools and experimental designs for studying fatigue in security contexts. Practically, it highlights the need for organizations to balance protection with usability, suggesting that streamlined processes, resource-supportive tools, and clearer communication may mitigate fatigue without compromising security.

Share

COinS