Security fatigue: manifestation of emotional exhaustion and cynicism by depletion of self-regulation capacity
研究提出“安全疲劳”概念,指员工因组织安全政策频繁变化导致自我调节能力耗竭,表现为情绪耗竭和对安全的犬儒主义,进而降低安全合规行为。基于298名员工数据,分析组织和个人资源如何影响安全疲劳。
As the cyber threat landscape evolves, organizations are regularly tightening their security policies and procedures, implementing frequent software updates, and update more processes and guidelines, including more stringent password guidelines, and restrictions on data access. These changes trigger stress in employees that over time leads to a depletion of self-regulation capacity and manifests as emotional exhaustion and security associated cynicism in employees which we call security fatigue. This fatigue results in a laxity in compliance with security guidelines and apathy towards security. Using the job demand-resource theory and self-regulation theory, this study conceptualizes security fatigue and attempts to understand the influence of security fatigue on the security compliance behavior of employees. We analyze data from 298 full-time employees, and our results show how organizational (organizational technological support and decision latitude) and personal (self-regulation capacity) resources interact with security demands and work impediments to influence employee security fatigue. Our results also indicate how security fatigue affects the security compliance behavior of employees. The results of the study could provide guidance to organizations in managing security policies and guidelines so as not to exacerbate the security fatigue of employees.