Study: 'Security Fatigue' May Weaken Digital Defenses

A young woman with dark hair wearing a collared button-down blue and white shirt looks at a pair of monitors in the UAlbany AI for Business Lab

A UAlbany-led research team found that repeated exposure to security requirements can lead to “security fatigue,” a state in which employees become mentally exhausted and disengaged from security practices. (Photo by Patrick Dodson)

By Michael Parker

ALBANY, N.Y. (March 18, 2026) — From password resets and software updates to phishing alerts and cybersecurity trainings, today’s workplace is filled with constant reminders about digital security. But new research led by the University at Albany’s Massry School of Business suggests those well-intentioned safeguards may be having an unintended effect.

A recent study, “Security Fatigue: Manifestation of Emotional Exhaustion and Cynicism by Depletion of Self-Regulation Capacity,” published in the European Journal of Information Systems, examines how growing cybersecurity demands are impacting employee behavior. The research finds that repeated exposure to security requirements can lead to “security fatigue,” a state in which employees become mentally exhausted and disengaged from security practices.

“Security requirements are designed to protect organizations, but they also create additional demands on employees that build over time,” said Sanjay Goel, Morris Massry Endowed Professor and chair of Information Security and Digital Forensics. “When those demands outpace an individual’s capacity to manage them, it becomes harder to maintain consistent security behavior.”

Goel conducted the research with co-authors Akanksha Malik of the Guildhall School of Business and Law at London Metropolitan University (UK) and Shuchi Sinha of the Indian Institute of Technology Delhi (India).

The human side of cybersecurity

While cybersecurity is often framed as a technical challenge, the study highlights the growing strain placed on employees who must carry out security practices in real time.

UAlbany Morris Massry Endowed Professor and Chair, Information Security and Digital Forensics Sanjay Goel speaks in front of monitors displaying cybersecurity information in UAlbany's AI for Business Lab. — Morris Massry Endowed Professor and Chair, Information Security and Digital Forensics Sanjay Goel speaks to students in the UAlbany AI for Business Lab. (Photo by Patrick Dodson)

Employees are routinely expected to manage a range of security-related tasks, from maintaining complex passwords to identifying phishing attempts and adapting to frequently updated policies. While each task is manageable on its own, the cumulative effect can create a sustained cognitive burden that interferes with employees’ primary responsibilities.

Over time, that burden depletes an individual’s ability to self-regulate, leading to fatigue that manifests as emotional exhaustion and disengagement from security practices. When that happens, employees may begin to ignore warnings, reuse weak passwords or seek workarounds that allow them to stay productive.

“People aren’t trying to bypass security,” Goel said. “In many cases, they’re simply overwhelmed by the volume and complexity of what’s being asked of them.”

The study finds that this behavior is typically not malicious, but the result of overload. Employees who disengage were often previously compliant but have been worn down by constant demands.

Reducing fatigue, improving compliance

To better understand the issue, the researchers surveyed nearly 300 full-time U.S. employees with experience navigating organizational cybersecurity policies. Their findings show that security fatigue is most likely to develop when security requirements interfere with employees’ ability to complete their primary job duties.

At the same time, the research identifies ways organizations can reduce the risk. Employees who feel confident in their ability to manage security tasks — known as security self-efficacy — and those who understand cybersecurity risks are more likely to maintain compliance, even when fatigue is present.

“Organizations need to think carefully about how security policies are implemented,” Goel said. “Providing training, simplifying processes and integrating security into everyday workflows can reduce friction and help employees stay engaged with security practices.”

The study highlights the role of organizational support, including training and technical assistance, in helping employees navigate security requirements more effectively. When those supports are in place, the impact of security demands on day-to-day work is reduced.

As cyber threats continue to evolve, the findings point to a broader challenge: strengthening security without overwhelming the people responsible for carrying it out. The researchers suggest that organizations focus not only on stricter policies, but on designing systems that are sustainable over time.