Abstract

Cybersecurity fatigue is a form of work disengagement specific to cybersecurity. It manifests as a weariness or aversion to cybersecurity-related workplace behaviors or advice and occurs as a result of prior overexposure to cybersecurity-related work demands or training. While some previous theoretical conceptualizations of cybersecurity fatigue are available, this article is the first to capture all dimensions of the phenomenon in a four-component model. The model holds that cybersecurity fatigue can result from overexposure to workplace cybersecurity advice (e.g., training) or cybersecurity actions (e.g., forced password updates). Similarly, we argue that there can be two types of cybersecurity fatigue: attitudinal (e.g., a belief that cybersecurity is not important) and cognitive (e.g., habituated bad behaviors). We present a multidisciplinary review, which draws on research from management, psychology, and information systems. Practitioners can use the four-component model to identify the type of cybersecurity fatigue that may be occurring in employees and adapt workplace processes accordingly to improve behavior. In addition, we present three illustrative case studies, adapted from employee experiences, to demonstrate the application of the four-component model to an organizational context. The review presents a framework for coordinating the existing approaches to cybersecurity fatigue in the current literature.

Highlights

  • In 2018, 35% of Chief Cyber Security Officers reported employee security education and training as the highest priority to ensure cyber security, outweighing infrastructure upgrades, breach defense, and network defense (Financial Services Information Sharing and Analysis Center, 2018)

  • We describe the dimensions of cyber security fatigue and join these into a four-component model

  • We found that approaches to cyber security fatigue could be broadly described by two components: Factors relating to employee attitude and factors that are cognitive and largely unconscious

Read more

Summary

Introduction

In 2018, 35% of Chief Cyber Security Officers reported employee security education and training as the highest priority to ensure cyber security, outweighing infrastructure upgrades, breach defense, and network defense (Financial Services Information Sharing and Analysis Center, 2018). We found that approaches to cyber security fatigue could be broadly described by two components: Factors relating to employee attitude (e.g., reactance) and factors that are cognitive and largely unconscious (e.g., habituation). An employee who is experiencing attitudinal-type fatigue may be unmoved by an intervention, which seeks to reduce the cognitive load required to maintain cyber security.

Results
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.