February 2026 Volume 8

OPERATIONS & MANAGEMENT

TIRED OF DEALING WITH CYBERSECURITY? YOU’RE NOT ALONE By Jim Kerr

C ybersecurity fatigue is real. If you’ve ever thought in caring, that’s when cybercriminals can do their best work. Cybersecurity Fatigue Defined The National Institute of Standards and Technology (NIST) defines security fatigue as “a weariness or reluctance to deal with computer security.” Back in 2016, a NIST study, Security Fatigue Can Cause Computer Users to Feel Hopeless and Act Recklessly , found that a majority of the typical computer users they interviewed experienced security fatigue. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore… People get weary from being bombarded by ‘watch out for this or watch out for that.’” Security fatigue was a measurable concern ten years ago. With the multi-layered security we use today, it stands to reason that those feelings are exponentially greater now. Causes and Attitudes The short answer is simply overload. Fluctuating security measures along with constant warnings about endless threats can feel overwhelming. Be on the lookout for these attitudes at your company: Too Many Rules Being forced to regularly change passwords, take “boring” cybersecurity training, or use other login tools like multi-factor authentication can feel frustrating. Slows Me Down Employees may take shortcuts if security is perceived as an obstacle to getting work done. These can include using the same easy password everywhere, emailing documents to personal accounts, or ignoring physical security risks like writing passwords on sticky notes. “Not My Problem” Some employees still believe the responsibility for cybersecurity rests solely with the IT department. Or they think the company is “too small” to be hacked. In fact, every company has information that’s valuable to a hacker, from payroll to customer data. And careless employees are the easiest way for cybercriminals to get in. Why bother? From the most cynical perspective, since it seems like eventually everyone’s data is going to be “out there” anyway, why bother? Not surprisingly, these attitudes can lead to risky computing behavior like using public Wi-Fi to bypass VPN security, sharing passwords, or emailing company information to a home computer. exasperation, “Not another 2FA code!”, join the club. However, cybersecurity fatigue brings risk. When we stop

Potential Business Costs The most dangerous potential cost of cybersecurity fatigue is a breach that can be directly traced back to an error made by someone in your company. If an employee unknowingly “let someone in,” that could invalidate your cyber liability insurance claim. In addition, any breach risks significant financial losses, legal disputes, and reputational damage. Cybersecurity Culture In addition to tactics (like not clicking on a strange email), users also need to have the frame of mind to take smart actions and avoid cybersecurity fatigue on their own terms. In other words, they need to see the value of security and want to actively participate. In an ideal world, everyone would recognize and resist social engineering tactics, speak up about risks, and make sound decisions under pressure, thereby strengthening the organization's “human firewall” against attacks. This is not a once and done effort. The first step is to recognize and acknowledge that every one of us behind a keyboard has a responsibility for our own cybersecurity. Remember, it IS a skill to develop and continually hone - not generally something that comes naturally. And in the new era of sophisticated AI cyber risks, refining everyone’s skills is even more important. A positive culture drives the values that determine the importance of cybersecurity awareness, and everyone has a role in its success. Importantly, this includes creating an environment for learning, not blaming, so everyone is comfortable reporting security concerns and asking questions. Does everyone believe they have responsibility for cybersecurity? Encourage everyone to care about their responsibility to help protect the organization. Discourage multitasking, since being distracted makes users particularly vulnerable to phishing attacks. Do you offer interesting cybersecurity training? The risk landscape changes daily, and cybersecurity training keeps everyone sharp. A long annual training can be perceived as boring. Consider short, engaging video trainings on current topics once a month instead. Tips to Reduce Cybersecurity Fatigue Security fatigue causes risks, and hackers are counting on us to be careless. As the saying goes, “Hackers only need to get it right once. We need to get it right every time.” To summarize, here are a few things you can do: Consider these three questions for your organization: Does your company have a positive cybersecurity culture?

FIA MAGAZINE | FEBRUARY 2026 44