Security fatigue: manifestation of emotional exhaustion and cynicism by depletion of self-regulation capacity

As the cyber threat landscape evolves, organizations are regularly tightening their security policies and procedures, implementing frequent software updates, and update more processes and guidelines, including more stringent password guidelines, and restrictions on data access. These changes trigger stress in employees that over time leads to a depletion of self-regulation capacity and manifests as emotional exhaustion and security associated cynicism in employees which we call security fatigue. This fatigue results in a laxity in compliance with security guidelines and apathy towards security. Using the job demand-resource theory and self-regulation theory, this study conceptualizes security fatigue and attempts to understand the influence of security fatigue on the security compliance behavior of employees. We analyze data from 298 full-time employees, and our results show how organizational (organizational technological support and decision latitude) and personal (self-regulation capacity) resources interact with security demands and work impediments to influence employee security fatigue. Our results also indicate how security fatigue affects the security compliance behavior of employees. The results of the study could provide guidance to organizations in managing security policies and guidelines so as not to exacerbate the security fatigue of employees.