Sleeping with the Enemy: Does Depletion Cause Fatigue with Cybersecurity?

Cybersecurity training and awareness programs can act to exacerbate rather than improve the cybersecurity threat posed by naive and non-malicious actions of employees [1, 2]. Employees report being unable to keep up with cybersecurity demands while also managing their core workload [1]. Cyber Fatigue is a weariness, aversion, or lack of motivation regarding cybersecurity [3]. It manifests due to overexposure to cybersecurity and a lack of available cognitive or workplace resources to cope with its demands. The current study examined the effect of non-attitudinal fatigue, which results from repetitive cybersecurity actions, on password-creation behaviour. Data collection involved an online experimental task and a set of standardised and adapted psychometric measures. Based on previous research [4, 5], cyber fatigue was induced in the two experimental conditions using a CAPTCHA task. The study was completed by 187 (97 male, 90 female) employed adult participants. However, we found no significant relationship between depletion and password creation behaviours. Our findings have important practical implications for interventions and provides insight for training aimed at improving employee behaviour.

[1]  William Stallings ICAM: A Foundation for Trusted Identities in Cyberspace , 2016, IT Professional.

[2]  An updated meta-analysis of the ego depletion effect , 2017, Psychological research.

[3]  Andreas Eckhardt,et al.  The attitude cube - A three-dimensional model of situational factors in IS adoption and their impact on the attitude-behavior relationship , 2015, Inf. Manag..

[4]  Jennie Popay,et al.  Guidance on the conduct of narrative synthesis in systematic Reviews. A Product from the ESRC Methods Programme. Version 1 , 2006 .

[5]  S. Hart,et al.  Development of NASA-TLX (Task Load Index): Results of Empirical and Theoretical Research , 1988 .

[6]  Jonghwa Park,et al.  The role of privacy fatigue in online privacy behavior , 2018, Comput. Hum. Behav..

[7]  Mari W. Buche,et al.  To Fear or Not to Fear? A Critical Review and Analysis of Fear Appeals in the Information Security Context , 2017, Commun. Assoc. Inf. Syst..

[8]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[9]  Kathleen D. Vohs,et al.  Strength Model of Self-Regulation as Limited Resource: Assessment, Controversies, Update , 2016 .

[10]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[11]  Mary Frances Theofanos,et al.  Security Fatigue , 2016, IT Professional.

[12]  Roy F. Baumeister,et al.  Breaking the Rules: Low Trait or State Self-Control Increases Social Norm Violations , 2012 .

[13]  M. Hagger,et al.  Ego depletion and the strength model of self-control: a meta-analysis. , 2010, Psychological bulletin.

[14]  Sven Casteleyn,et al.  E-participation adoption models research in the last 17 years: A weight and meta-analytical review , 2018, Comput. Hum. Behav..

[15]  K. Vohs,et al.  How leaders self-regulate their task performance , 2018 .

[16]  Ronald J. Faber,et al.  Spent Resources: Self‐Regulatory Resource Availability Affects Impulse Buying , 2007 .

[17]  R. Baumeister,et al.  Ego depletion: is the active self a limited resource? , 1998, Journal of personality and social psychology.

[18]  LowryPaul Benjamin,et al.  Proposing the control-reactance compliance model CRCM to explain opposing motivations to comply with organisational information security policies , 2015 .

[19]  Stanislav Mamonov,et al.  The impact of information security threat awareness on privacy-protective behaviors , 2018, Comput. Hum. Behav..

[20]  Rupert Ward,et al.  Developing a General Extended Technology Acceptance Model for E-Learning (GETAMEL) by analysing commonly used external factors , 2016, Comput. Hum. Behav..

[21]  InduShobha N. Chengalur-Smith,et al.  Evaluating the effectiveness of learner controlled information security training , 2019, Computers & security.

[22]  R. Dhar,et al.  Trade-Offs and Depletion in Choice , 2010 .

[23]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[24]  Malcolm Robert Pattinson,et al.  Factors that Influence Information Security Behavior: An Australian Web-Based Study , 2015, HCI.

[25]  K. Vohs,et al.  How leaders self-regulate their task performance: evidence that power promotes diligence, depletion, and disdain. , 2011, Journal of personality and social psychology.

[26]  Kalana Malimage The role of habit in information security behaviors , 2013 .

[27]  Zarul Fitri Zaaba,et al.  Habituation effects in computer security warning , 2018, Inf. Secur. J. A Glob. Perspect..

[28]  Steven Furnell,et al.  Recognising and addressing ‘security fatigue’ , 2009 .

[29]  Mahmood Shah,et al.  Employees' behavioural intention to smartphone security: A gender-based, cross-national study , 2020, Comput. Hum. Behav..

[30]  Paul Benjamin Lowry,et al.  Institutional governance and protection motivation: Theoretical insights into shaping employees' security compliance behavior in higher education institutions in the developing world , 2019, Comput. Secur..

[31]  Kovila P. L. Coopamootoo,et al.  Effect of Cognitive Depletion on Password Choice , 2016 .

[32]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[33]  S. Danziger,et al.  Extraneous factors in judicial decisions , 2011, Proceedings of the National Academy of Sciences.

[34]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[35]  Kathleen D. Vohs,et al.  PSYCHOLOGICAL SCIENCE Research Article SELF-REGULATORY FAILURE: A Resource-Depletion Approach , 2022 .