What is "Security Fatigue", and what does it do to protection motivation?
Security fatigue is a state of mental exhaustion from the sheer volume of security demands — not a motivation model, but a condition that makes users ignore warnings and disable features just to get work done.
* Security fatigue: an endless stream of security decisions exhausts users, who then ignore warnings and disable features. *
Described by Stanton, Theofanos, Spickard Prettyman & Furman (2016, NIST): users are overwhelmed by the endless stream of security decisions —
- Install the update? Accept cookies? Change the password? Check this suspicious mail? …
Consequences:
- Warnings get ignored, security features get deactivated — "um einfach nur arbeiten zu können" (just to be able to work)
- In PMT terms: fatigue raises the perceived Handlungskosten of every additional security action, thereby lowering Schutzmotivation across the board
Design implications: every security prompt spends a limited attention budget. Reduce decisions (sane defaults, automation), bundle requirements, and reserve interruptions for moments that matter. "Weniger ist mehr" in awareness content is the same principle — ten campaigns a year produce fatigue, not awareness.
Go deeper:
Security Fatigue (Stanton, Theofanos et al., NIST 2016) — Die Original-NIST-Studie: Resignation und Entscheidungsvermeidung durch zu viele Sicherheitsentscheidungen.