When enough is enough: Investigating the antecedents and consequences of information security fatigue

Cram, W. Alec; Proudfoot, Jeffrey Gainer; D’Arcy, John

doi:10.1111/isj.12319

Cited by 31 publications

(14 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…D'Arcy and Teh (2019) found that people who feel fatigue may be more likely to use neutralization techniques to violate ISPs. Employees who experience security fatigue may be less likely to strictly comply with the ISP (Furnell and Thomson, 2009; Turel et al , 2019), which has negative consequences for organizational information security efforts (Cram et al , 2021).…”

Section: Introductionmentioning

confidence: 99%

Understanding employees’ information security–related stress and policy compliance intention: the roles of information security fatigue and psychological capital

Chen

Liu

Lyu

2022

ICS

View full text Add to dashboard Cite

Purpose This study aims to explore the emotion-based mediator of information security fatigue in the relationship between employees’ information security–related stress (SRS) and information security policy (ISP) compliance intention and the effects of psychological capital (PsyCap) on relieving SRS and promoting compliance. Design/methodology/approach The authors tested a series of hypotheses by applying partial least squares–based structural equation modeling to survey data from 488 employees in Chinese enterprises. Findings The results suggest that the relationship between SRS and ISP compliance intention is fully mediated by information security fatigue. Employees’ SRS promotes their information security fatigue, which reduces their intention to follow ISPs. In addition, employees with high PsyCap may experience low levels of SRS and information security fatigue, which promotes their willingness to comply with ISPs. Originality/value This study extends knowledge by introducing information security fatigue and PsyCap to the field of information security management, and it calls attention to the effects on information security behaviors of employee emotions and positive psychological resources in an organization. The authors reveal the emotion-based mediating effect of information security fatigue and the positive influence of PsyCap in information security management.

show abstract

Section: Introductionmentioning

confidence: 99%

Understanding employees’ information security–related stress and policy compliance intention: the roles of information security fatigue and psychological capital

Chen

Liu

Lyu

2022

ICS

View full text Add to dashboard Cite

show abstract

“…Rather, security fatigue is a gradual process experienced by employees who have been complying with security guidelines, but this adherence to guidelines becomes more burdensome and difficult over time. My preliminary research on security fatigue suggests that it too can lead to employees' non-compliance with ISP as well as a general minimization of effort toward IS security objectives (Cram et al, 2019b).…”

mentioning

confidence: 98%

“…Related to this point, there is evidence that a new phenomenoncalled "security fatigue"is occurring in the workplace. Security fatigue refers to a socio-emotional state experienced by an individual who becomes tired and disillusioned with security-related initiatives (Cram et al, 2019b). Research on security fatigue is at an early stage but it is thought that some employees may experience security fatigue due to the abundance (and perhaps perceived overload) of security-related rules and communications that they experience.…”

mentioning

confidence: 99%

Panel report: the dark side of the digitization of the individual

Turel

Matt

Trenz

et al. 2019

INTR

View full text Add to dashboard Cite

Purpose Digital technologies have diffused into many personal life domains. This has created many new phenomena that require systematic theorizing, testing and understanding. Such phenomena have been studied under the Digitization of the Individual (DOTI) umbrella and have been discussed in the DOTI pre-International Conference on Information Systems workshop for the last three years (from 2015 to 2017). While prior years have focused on a variety of issues, this year (2018) we decided to put special emphasis on negative effects of the DOTI, i.e., “the dark side” of the DOTI. Design/methodology/approach This manuscript reports on a panel of three experts (in alphabetical order: John D’Arcy, Hamed Qahri-Saremi and Monideepa Tarafdar) who presented their past research in this domain, as well as their outlook for future research and methodologies in research on the DOTI. Findings The authors introduce the topic, chronicle the responses of the panelists to the questions the authors posed, and summarize and discuss their response, such that readers can develop a good idea regarding next steps in research on the dark side of the DOTI. Originality/value The authors introduce the topic of the dark sides of DOTI and point readers to promising research directions and methodologies for further exploring this relatively uncharted field of research.

show abstract

“…Researchers at the National Institute of Standards and Technology raised awareness on security fatigue due to its unimpeded effort and challenges on information security (Stanton et al, 2016). Researchers publish articles on security fatigue (Cram, Proudfoot, & D'Arcy, 2019;Stanton et al, 2016); however, business organizations fail to account for the phenomenon. Nobles (2019) argued that issues such as security fatigue continue to plague information security, cybersecurity, and data privacy because human factors practitioners are not engaged in supporting cybersecurity.…”

Section: Security Fatiguementioning

confidence: 99%

Stress, Burnout, and Security Fatigue in Cybersecurity: A Human Factors Problem

Nobles

2022

HOLISTICA – Journal of Business and Public Administration

View full text Add to dashboard Cite

Stress, burnout, and security fatigue continue as slight destroyers of strong cybersecurity and significant human factors concerns. The persistence of these human performance issues is concerning given the lack of mitigation and integration of human factors practitioners to mitigate these adverse risk circumstances. Security fatigue is not a new phenomenon but the evolving nature of cybersecurity results in various sub-categories of security fatigue; thus, making it a difficult problem to solve. Stress and burnout are major causes of short tenures in senior roles for security executives. Business decision-makers lack the expertise to explore the negative influences of stress, burnout, and security fatigue on cybersecurity. Technology-led cycles are organizations’ primary course of action to mitigate cybersecurity threats, resulting in complexity debt and making businesses more vulnerable to attacks. Human factors professionals can identify high-friction areas that degrade human performance and implement initiatives to reduce the risk. Human performance degradation in cybersecurity is a critical risk factor and requires immediate attention, given that cybercriminals continue to exploit human weaknesses to gain access to sensitive and critical infrastructure.

show abstract

When enough is enough: Investigating the antecedents and consequences of information security fatigue

Cited by 31 publications

References 50 publications

Understanding employees’ information security–related stress and policy compliance intention: the roles of information security fatigue and psychological capital

Understanding employees’ information security–related stress and policy compliance intention: the roles of information security fatigue and psychological capital

Panel report: the dark side of the digitization of the individual

Stress, Burnout, and Security Fatigue in Cybersecurity: A Human Factors Problem

Contact Info

Product

Resources

About