Applying depletion theory and personal construct psychology to understand Cybersecurity Fatigue: the development and exploration of a four-component model

Abstract

Risky employee behaviour is a prevalent threat to the cybersecurity of modern organisations. In addition, there is emerging evidence that extant efforts to improve employee behaviour (such as awareness training programs) inadvertently can have deleterious outcomes by contributing to cybersecurity fatigue in employees. The aims of the research project were to: (1) develop an integrative definition and schematic model of cybersecurity fatigue which consolidates the multidisciplinary research that is relevant to the problem, (2) induce aspects of fatigue in employees and observe the consequent effect on cybersecurity behaviours, (3) investigate the experiences of employees undergoing cybersecurity training programs and identify the factors that may lead to cybersecurity fatigue, and (4) examine the current awareness of cybersecurity decision makers of these factors and their capability to address cybersecurity fatigue in their workforce. To address these aims, six independent, but related, studies were conducted. Paper 1 addressed the first aim through a narrative review of the literature which led to the development of a conceptual model of cybersecurity fatigue. Cybersecurity fatigue was defined as a weariness or aversion to cybersecurity-related workplace behaviours or advice and occurs as a result of prior overexposure to cybersecurity-related work demands or training. The four-component model comprises two types: attitudinal and cognitive, and two sources: action and advice. The review indicated that researchers often overlook the action-related and cognitive types of cybersecurity fatigue, and this motivated the development of the studies reported in Conference paper and Paper 2. In addition, this review showed that workplace cybersecurity training programs can unintentionally cause advice-related cybersecurity fatigue and that existing literature does not yet fully understand the reasons for this. This observation guided the development of the two studies reported in Papers 3 and 4. Paper 2 began to address the second thesis aim by examining the effect of action-related and cognitive cybersecurity fatigue on password creation behaviours. The paper reports the results of two studies. Study 1 consisted of an extended replication of an earlier study by Coopamootoo, Groß, and Pratama (2017), which found that cognitively-fatigued employees create weak passwords. Unexpectedly, the results of Study 1 did not confirm this finding in that fatigued employees in our sample were equally as likely as others to create a strong password. Several theoretical and methodological reasons were advanced to explain these potential differences in results. A possible explanation was that employees who created their password using heuristic processes may be partially protected from the effects of cognitive depletion. Study 2 modified the design of the Study 1 to investigate the combined effect of fatigue and decision-making style (i.e., heuristic or systematic) on password creation. Specifically, this study used an updated depletion task which induced cognitive fatigue and a more ecologically valid password creation exercise. The results from 249 employees provide partial support for the hypothesis that those who create passwords using heuristic processes are protected from the effect of cognitive fatigue. Likewise, cognitive fatigue affected the password creation behaviours of those who use systematic processes. Specifically, they were more likely to reuse a password when fatigued. This result supports the utility of the heuristic-systematic model of decision-making. Furthermore, this paper proposed that cybersecurity training programs may influence if employees use heuristic or systematic processes when creating passwords. Therefore, it recommended that further research should examine the ways that cybersecurity training programs influence employee behaviour. Accordingly, Papers 3 and 4 investigated the ways in which employees perceive the cybersecurity advice they receive at work and how this relates to their motivation to behave in a secure manner. Paper 3 addressed the third thesis aim by examining the attitudinal and advice-related components of cybersecurity fatigue via 20 in-depth interviews with Australian employees. This paper presents the findings of the first stage of this interview which comprised a discussion of the employees’ experiences of cybersecurity training at their place of work. The findings indicate that four overarching themes are relevant to understanding employee perceptions of cybersecurity training, including: their previously held beliefs about cybersecurity threats; the content and delivery of the training program; the behaviour of others around them; and, features of their organisation. Overall, employees generally had a poor view of cybersecurity training programs and identified various training-specific and broader organisational factors which relate to these perceptions. Paper 4 presented the findings of two further stages of the interview with 24 Australian workers. These stages involved participants viewing a series of cybersecurity training videos and discussing their perceptions and appraisals. Following this, participants completed a sorting task based on the repertory grid technique of structured interviewing. Key themes related to the content, style, and design of cybersecurity training videos, but also employees’ perceived characteristics of the intended audience and broader preconceptions of cybersecurity principles. These themes were used to construct a self-report measure of cybersecurity advice fatigue, the Cybersecurity Advice Fatigue Scale (CAFS). The CAFS was completed by 457 employees to examine its factor structure and convergent validity. The results indicate a fivefactor structure and that the measure significantly correlates with scores on an existing measure of cybersecurity burnout. The CAFS can be used by researchers and cybersecurity practitioners alike to identify the features of their existing cybersecurity training programs which should be modified to enhance employee receptivity. Together, Papers 1-4 reveal the breadth of factors that relate to cybersecurity fatigue and the variety of solutions which may help to address the issue. Following this, the final study (presented in Paper 5) aimed to examine the extent to which cybersecurity professionals, management, and other employees are currently aware of these factors and whether they utilise this knowledge in their decision making. Accordingly, to address the fourth thesis aim, this study applied attribution theory to understand the decision making of 506 cybersecurity professionals, management, and other employees, and examined the ways in which they would act to address cybersecurity fatigue if it was present in their own organisation. The results indicate that all three employee groups utilise a self-defensive bias in their decision making and that cybersecurity professionals and managers may not be fully aware of the full breadth of solutions available to them to address cybersecurity fatigue. These results support the utility of attribution theory in understanding cybersecurity decision-making and how professionals perceive cybersecurity fatigue in themselves and others. In conclusion, this research project investigated the role of fatigue in employee cybersecurity behaviour and provided insights into the situational and psychological factors that might influence people’s propensity to behave in a secure manner. This work included the development of a four-component model of cybersecurity fatigue, an explanatory framework to understand this highly varied and complex phenomenon, and throughout the thesis this model showed promise in its application to both practical and research contexts. It is hoped that the findings will have useful implications for the practice of cybersecurity management and for future studies examining the effects of cybersecurity fatigue on employee behaviour. Organisations can use the findings to understand the variety of diverse factors that relate to employee cybersecurity behaviour that may lead to cybersecurity fatigue.