According to the Freedom to Focus report,* 41% of employees identified excessive bureaucracy and process overload as major barriers to concentrating on their core responsibilities, with an additional 27% citing time-consuming security processes as a key hindrance. This information overload not only affects productivity but also undermines employees’ ability to effectively manage and respond to security threats, leaving organisations vulnerable in a fast-paced digital environment.

It’s understandable. Compliance obligations and security responsibilities have grown dramatically in recent years, but in many cases, the tools and technologies designed to help employees cope with the information tsunami has failed to keep up. Today, even the most diligent workforce can experience “security fatigue,” where the sheer volume of policies, rules, regulations and reminders becomes too much to bear. This isn’t just a policy problem, a technology problem, or a compliance problem – it’s also a cultural problem.

Understanding Security Fatigue

Security fatigue has become a pressing concern as organisations seek to maintain compliance while managing an increasingly complex array of cybersecurity threats. As Inge explains, security fatigue occurs when employees feel overwhelmed by the constant demand to follow numerous security protocols, especially when these demands feel disconnected from their core roles. This sense of fatigue often stems from well-meaning but excessive training and policy requirements, which can lead to disengagement or even non-compliance. Wetzer emphasised that many organisations unknowingly push employees toward fatigue by prioritising quantity over quality in security education.

Nadine added that, in some cases, security fatigue can create a false sense of complacency, where employees no longer view protocols as essential and may underestimate their importance. This disengagement makes organisations more vulnerable, as employees are less likely to fully engage with cybersecurity measures. Both speakers agreed that a more thoughtful, risk-based approach is needed—one that considers employees’ actual day-to-day responsibilities and avoids overwhelming them with non-essential compliance tasks. By focusing on clear, relevant guidance, organisations can help reduce fatigue and foster a more active commitment to secure practices.

Compliance Overload – A Precursor to Fatigue?

To combat security fatigue effectively, organisations must find a balance between essential security protocols and manageable compliance practices. Nadine noted that many organisations adopt a blanket approach, adding layers of rules and training to cover every potential threat. However, this can lead to an overload of requirements that employees struggle to follow, particularly when the rules feel unrelated to their specific roles. She suggested that a risk-based approach—prioritising measures based on relevance and impact—can make compliance efforts more effective and reduce unnecessary demands on employees.

Inge supported this perspective, pointing out that aligning security measures with real, identifiable risks helps employees see the value in following protocols. She explained that when organisations focus only on high-impact areas and eliminate redundant requirements, employees are more likely to feel that security practices genuinely support their work. This approach not only reduces compliance fatigue but also strengthens adherence, as employees understand that the measures are practical and purposeful.

Motivation Meets Practicality

Engaging employees in cybersecurity requires more than just instructing them to follow protocols; it requires a focus on motivation and relevance. Inge highlighted that people are more likely to adopt secure behaviours if they understand how these practices connect to their own roles and responsibilities. She pointed out that many organisations overlook this motivational element, defaulting to repetitive training that focuses on rules rather than purpose. Instead, Inge suggested using relatable scenarios and real-life examples to help employees see how cybersecurity affects their daily work and the organisation’s overall safety.

Nadine added that simplifying security measures is equally important. Overly complex policies can lead to confusion or unintentional non-compliance, as employees may struggle to understand what’s expected of them. She recommended making instructions as clear and direct as possible, ideally delivering guidance just-in-time, so that employees receive relevant training when they actually need it. This approach not only reduces the cognitive load on employees but also reinforces secure practices as a natural part of their work, rather than a disruptive add-on.

A Behavioural Psychology Perspective

From a psychological perspective, Inge explained that secure behaviour really relies on three key factors: knowledge, motivation, and opportunity. While training can address knowledge gaps, it doesn’t always translate into action if employees lack the motivation to apply what they’ve learned. Inge suggested that organisations should assess employees’ existing knowledge levels and, where appropriate, shift focus from mere instruction to motivational techniques that help individuals see the importance of security in their specific roles. Opportunity, the final point, means ensuring that employees have the resources and support to comply, from user-friendly tools to a supportive security culture. Without the right opportunities, even motivated employees may find secure practices hard to maintain. By addressing all three components, Inge argued, organisations can create a stronger foundation for lasting behaviour change and resilience against cyber threats.

Supporting Technologies

While behaviours around security are very much a human issue, technology can play a powerful role in helping to shape and nurture those behaviours. Nadine discussed how tools like phishing detectors, password managers, and automated encryption systems can help prevent human errors by adding a protective layer that doesn’t require constant vigilance from employees. She emphasised that while these tools are critical, they must be user-friendly. Complex or intrusive software can frustrate users and lead to workarounds, undermining security goals. Nadine advised that any security tool introduced to support compliance should integrate smoothly with employees’ regular workflows, ensuring that security is embedded seamlessly into daily tasks.

Inge added that when technology is designed with the user experience in mind, it not only improves compliance but can also foster a more positive attitude towards cybersecurity. She suggested that interactive demos and training sessions could be provided to boost employees’ confidence in using new security tools, especially for those who may feel intimidated by technology. By giving employees practical, hands-on experience, organisations can alleviate concerns, reinforce good habits, and make secure practices feel like an accessible, integral part of their work environment rather than an added burden.

*Report from Zivver