Abstract
This study investigates the growing phenomenon of cybersecurity fatigue and its implications for employee productivity and mental health in the high-demand sectors of information technology (IT), finance, healthcare and education. Utilizing a quantitative research methodology, the study surveyed 351 employees from these industries to analyze the relationships between cybersecurity fatigue, work efficiency, and mental health indicators, including stress and anxiety. The findings highlight cybersecurity fatigue as a significant factor contributing to burnout, reduced productivity, and increased psychological strain. Structural Equation Modeling (SEM) demonstrates the moderating effects of digital detox initiatives and mental health support strategies in mitigating fatigue and improving employee well-being and organizational performance. This research addresses a critical gap by focusing on the human dimensions of cybersecurity management and offers practical recommendations for simplifying protocols and fostering resilience. The study provides actionable insights for organizations operating under stringent cybersecurity requirements, enabling them to enhance employee satisfaction and performance.
Keywords: Cybersecurity fatigue, Human resource management, Structural equation modeling (SEM), Digital detox, Burnout theory
Introduction
In today’s digital workplace, cybersecurity is a cornerstone of organizational stability, underpinning efforts to protect sensitive data and ensure compliance with increasingly stringent regulatory frameworks. However, as cybersecurity measures evolve, employees tasked with implementing and maintaining these systems face growing challenges. This has led to cybersecurity fatigue, a state of mental and emotional exhaustion arising from repeated exposure to security demands. Cybersecurity fatigue significantly impacts employee productivity, mental health, and organizational resilience [1, 2]. This phenomenon manifests through cognitive overload, stress, and disengagement, making it a pressing concern for industries with high-security demands, including information technology, healthcare, finance, and education.
These sectors are collectively important to study due to their unique cybersecurity challenges. Information technology serves as the backbone of digital infrastructure, requiring constant vigilance against emerging cyber threats. Healthcare organizations must navigate strict regulatory frameworks, such as HIPAA, while safeguarding sensitive patient data. The finance sector faces heightened risks due to its critical role in managing monetary transactions and adhering to regulations like GDPR. Education, meanwhile, is increasingly targeted by cyberattacks as institutions adopt digital tools and platforms for learning and administration. Together, these sectors represent environments where cybersecurity fatigue poses significant risks to organizational performance and employee well-being, making them essential focal points for this research.
Fatigue, in general, is defined as a state of physical or mental exhaustion that reduces performance and decision-making abilities. Within organizational contexts, fatigue is often linked to stress—a psychological response to sustained exposure to high-pressure tasks. Stress amplifies cognitive overload, impairing employees’ focus and effectiveness [3, 4]. Prolonged exposure to these stressors leads to burnout, characterized by emotional exhaustion, depersonalization, and a diminished sense of personal accomplishment. In cybersecurity roles, repetitive tasks such as managing frequent alerts, identifying threats, and adhering to compliance protocols act as persistent stressors that increase the likelihood of both fatigue and burnout [5].
The stakes are particularly high in sectors like finance and healthcare, where errors in cybersecurity can lead to catastrophic outcomes. Employees in these industries face added pressure from regulatory frameworks like the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States. These regulations mandate rigorous data protection measures, intensifying the cognitive and emotional demands placed on employees [6, 7]. Over time, such pressures result in disengagement, reduced productivity, and a heightened risk of security breaches. Fatigued employees are more prone to errors and may circumvent protocols, exacerbating organizational vulnerabilities [1].
While burnout in workplace settings has been extensively studied, cybersecurity fatigue remains an underexplored phenomenon. Most existing research has focused on technical aspects of cybersecurity, such as identifying system vulnerabilities and implementing risk management strategies. However, the human dimensions of cybersecurity, including the psychological toll on employees, have received far less attention [8]. This gap is particularly significant given the role of human error in cybersecurity incidents. Paul and Dykstra emphasize that alert fatigue—a common form of cybersecurity fatigue—desensitizes employees to critical threats, increasing the likelihood of oversight. Addressing these human factors is essential to building resilient cybersecurity systems [9].
This study seeks to address this research gap by investigating the relationships between cybersecurity fatigue, employee productivity, and mental health indicators such as stress and anxiety. Employing a quantitative methodology, the study examines how the frequency and complexity of cybersecurity tasks impact employee outcomes across high-demand sectors. The findings aim to provide actionable insights for organizations navigating the delicate balance between security demands and employee well-being. Additionally, the study explores mitigation strategies, such as digital detox initiatives and mental health support programs, to alleviate the effects of fatigue. These strategies are grounded in theoretical frameworks like Burnout Theory, which highlight the importance of managing job demands and fostering recovery to sustain employee performance [1, 3].
By integrating these findings with practical recommendations, this research contributes to the growing discourse on the human factors in cybersecurity management. It emphasizes the need for a holistic approach that combines technical, psychological, and organizational interventions to mitigate cybersecurity fatigue, ultimately enhancing both employee well-being and organizational performance.
Literature review
The rise of digital infrastructures has ushered in an era of complex cybersecurity challenges, necessitating robust measures to safeguard sensitive information. However, these measures often impose significant psychological and cognitive burdens on employees responsible for implementing and maintaining them. Cybersecurity fatigue, a growing phenomenon in high-demand sectors like information technology (IT), finance, healthcare and education encapsulates the emotional and cognitive strain caused by prolonged exposure to cybersecurity demands. This literature review examines the underlying factors contributing to cybersecurity fatigue, its implications for employee well-being and organizational performance, and strategies to mitigate its effects.
Theoretical framework
Burnout Theory, introduced by Maslach [3] provides a foundational framework for understanding the Burnout Theory, introduced by Maslach [3] provides a foundational framework for understanding the psychological impact of prolonged workplace stress. The theory identifies three key dimensions of burnout: emotional exhaustion, depersonalization, and reduced personal accomplishment. Emotional exhaustion reflects a depletion of energy and emotional resources resulting from chronic stress. Individuals experiencing emotional exhaustion often feel overextended and unable to meet work demands [2, 3]. Depersonalization involves a sense of detachment or emotional distancing from one's work and colleagues, often as a coping mechanism to manage stress. This can lead to a cynical attitude towards work and decreased empathy towards others [1, 3]. Reduced personal accomplishment signifies feelings of inefficacy and a decline in one’s sense of achievement and competence in the workplace. Individuals may perceive a gap between their efforts and actual outcomes, leading to decreased motivation [3, 8]. These dimensions collectively illustrate how demanding work environments contribute to chronic stress, adversely affecting employee well-being and performance.
In cybersecurity roles, professionals face unique cognitive and emotional demands, such as managing security alerts, ensuring compliance, and responding to cyber threats. These demands often result in cybersecurity fatigue, a specific manifestation of burnout. Nobles provides quantitative evidence showing how stress and emotional exhaustion are heightened in roles requiring constant vigilance against evolving cyber threats, aligning closely with the emotional exhaustion component of Burnout Theory [2]. Similarly, Reeves et al. [10] identify cognitive overload as a precursor to emotional exhaustion in cybersecurity teams, emphasizing the need for proactive mitigation strategies [1].
The repetitive and high-pressure nature of cybersecurity tasks can also foster depersonalization. Employees may emotionally disengage from their roles to cope with the stress of constant demands. Reeves et al. [10] highlight how depersonalization undermines employee effectiveness and organizational resilience, while Almanza [11] discusses its implications for employee well-being in critical sectors like healthcare, where cybersecurity fatigue can compromise both staff and patient safety [1, 12]. Pittas et al. further explore how attribution styles, particularly the actor-observer bias, influence cybersecurity fatigue. Their study introduces the CyFa measure to assess how individuals attribute responsibility for cybersecurity fatigue and propose mitigation strategies to reduce depersonalization [13].
The reduced sense of personal accomplishment described in Burnout Theory is also evident in cybersecurity fatigue. Kim and Kim explore how work overload and psychological contract breaches in cybersecurity roles erode employees' self-efficacy and motivation. Their findings suggest that the relentless nature of cybersecurity demands often leaves employees feeling inadequate, even when they successfully manage threats [8]. This futility not only contributes to emotional exhaustion but also diminishes engagement and innovation in cybersecurity practices. Similarly, Nepal et al. highlight that incident responders face significant emotional and cognitive strain due to the constant vigilance required in cybersecurity, leading to reduced professional fulfillment and increased burnout symptoms [12]. These findings reinforce the application of Burnout Theory in understanding the psychological toll of cybersecurity fatigue.
Empirical studies validate the relevance of Burnout Theory in cybersecurity contexts. Nobles links the complexity of cybersecurity tasks to burnout indicators such as stress, fatigue, and job dissatisfaction [2]. Reeves et al. [10] demonstrate that cognitive overload exacerbates emotional exhaustion, while Almanza [11] underscores the unique challenges faced by high-stakes industries like healthcare Parker [14] further explores the intersection of burnout and information security in healthcare, emphasizing the compounded stress from both technical demands and patient-critical tasks [1, 11, 14]. Pittas et al. highlight how cybersecurity fatigue is further intensified by attribution styles, emphasizing the need for targeted interventions [13]. Additionally, Pham et al. identify that security demands, such as dealing with evolving threats, can drain resources and contribute to burnout unless mitigated by supportive organizational practices [15]. These studies collectively demonstrate that Burnout Theory provides a robust framework for understanding the human factors driving cybersecurity fatigue.
Moreover, Burnout Theory offers a theoretical lens for addressing cybersecurity fatigue through organizational interventions. The theory suggests that reducing job demands and increasing recovery opportunities are critical for mitigating burnout. Reeves et al. advocate for simplified security protocols and workload redistribution as practical solutions [1]. Kim and Kim highlight the role of supportive leadership and mental health resources in fostering resilience among cybersecurity professionals [8]. Nepal et al. propose tailored approaches, including addressing workload intensity and providing adequate training resources, to help responders manage stress effectively [12]. Pittas et al. propose specific attribution-based strategies to reduce the effects of actor-observer bias, further emphasizing the importance of personalized approaches [13]. Pham et al. similarly argue for the implementation of resource-balancing strategies, such as promoting team collaboration and enhancing recovery opportunities, to sustain performance and well-being [15]. These recommendations align with Burnout Theory’s emphasis on managing stressors and enhancing employee resources to foster long-term engagement and resilience in cybersecurity roles.
Factors contributing to cybersecurity fatigue
One of the primary contributors to cybersecurity fatigue is cognitive overload, a condition arising from excessive mental demands that exceed an individual's processing capacity. In cybersecurity-intensive roles, employees are required to manage complex systems, analyze large volumes of data, and respond to frequent security alerts. This constant vigilance creates a state of sustained cognitive strain, which not only impairs decision-making but also increases the likelihood of errors [1].
Closely tied to cognitive overload is the phenomenon of alert fatigue, where employees become desensitized to frequent notifications and warnings from cybersecurity systems. Dykstra and Paul describe how repetitive alerts diminish an individual’s ability to discern genuine threats from false positives, leading to slower response times and increased security risks [16]. This issue is particularly pronounced in industries such as finance and healthcare, where real-time threat detection is critical but often overwhelming for employees. Alert fatigue not only impacts operational effectiveness but also contributes to disengagement and emotional exhaustion, key precursors to burnout [17].
The increasing complexity of regulatory frameworks further exacerbates cybersecurity fatigue. Legislation such as the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the United States imposes stringent requirements on data protection, breach notification, and risk management. While these regulations are essential for safeguarding sensitive information, they also create a heavy burden for employees tasked with ensuring compliance [6, 7].
The need to balance daily operations with compliance demands often leads to what researchers term compliance fatigue, characterized by frustration and mental exhaustion resulting from repeated adherence to complex rules. Nobles highlights that employees in highly regulated industries are more prone to stress and burnout due to the continuous pressure to meet legal and organizational standards [2]. This fatigue not only affects individual performance but also undermines overall organizational resilience, as overwhelmed employees may inadvertently overlook critical compliance requirements.
The nature of cybersecurity work often involves repetitive and complex tasks, such as managing multi-factor authentication systems, monitoring network traffic, and conducting security audits. These tasks, while necessary, are mentally taxing and can become monotonous over time. Studies indicate that repetitive work requiring sustained attention increases the risk of emotional detachment and errors, as employees struggle to maintain focus and motivation [18]. Additionally, the technical complexity of cybersecurity systems presents another challenge. Employees must navigate intricate protocols and troubleshoot advanced issues, often without sufficient resources or support. Reeves et al. suggest that this combination of repetition and complexity leads to a sense of futility, where employees perceive their efforts as inadequate in the face of evolving cyber threat [1]. This perception further compounds the cognitive and emotional strain associated with cybersecurity fatigue.
Impact of cybersecurity fatigue
Cybersecurity fatigue has profound effects on employees' mental health, manifesting as increased stress, anxiety, and, in severe cases, burnout. Stress arises from the high-stakes nature of cybersecurity roles, where even minor errors can lead to significant breaches. Over time, this constant pressure contributes to anxiety and emotional exhaustion, reducing employees' ability to perform effectively [3, 5]. Burnout, as described in Burnout Theory, is a critical outcome of sustained stress in cybersecurity-intensive roles. Employees experiencing burnout often report feelings of detachment and reduced personal accomplishment, which not only affect their mental well-being but also their ability to contribute meaningfully to organizational goals [1]. Addressing these mental health challenges is essential for maintaining a resilient and engaged workforce.
Cybersecurity fatigue directly impacts productivity, as employees overwhelmed by cognitive demands are less able to focus and complete tasks efficiently. Studies show that fatigue leads to an increase in errors, particularly in high-pressure environments where vigilance is critical. For instance, He and Zhang found that employees experiencing cognitive overload are more likely to bypass security protocols or make mistakes in routine tasks, jeopardizing organizational security [18]. This decline in productivity is particularly concerning in industries where the margin for error is small, such as finance and healthcare. Reeves et al. argue that cognitive depletion not only reduces individual performance but also creates systemic vulnerabilities, as fatigued employees are less likely to adhere to best practices or recognize emerging threats [1].
The broader implications of cybersecurity fatigue extend to organizational security and resilience. Fatigued employees are more prone to neglecting critical tasks, such as updating systems or responding promptly to threats, increasing the likelihood of breaches. Mailock Central emphasizes that organizations with high levels of cybersecurity fatigue are at greater risk of operational failures, as the cumulative effect of individual errors compounds over time [19]. Furthermore, the disengagement associated with cybersecurity fatigue can undermine an organization’s culture of security awareness. Employees who feel unsupported or overwhelmed are less likely to participate in training initiatives or adhere to protocols, creating gaps in the organization’s defense mechanisms [20]. This highlights the need for a holistic approach to managing cybersecurity fatigue, one that addresses both individual and organizational vulnerabilities through targeted interventions.
Mitigation strategies
Mitigating cybersecurity fatigue requires a multifaceted approach that addresses the technical, organizational, and psychological factors contributing to employee stress. By adopting streamlined processes, leveraging technological advancements, and fostering supportive workplace environments, organizations can reduce the cognitive burden on employees and promote resilience. Below, we explore key strategies in greater detail.
Simplifying cybersecurity protocols is a cornerstone strategy for alleviating fatigue among employees. Complex and repetitive tasks—such as managing frequent password changes, responding to a constant stream of security alerts, and adhering to intricate compliance procedures—are major contributors to cognitive overload. To counter these challenges, organizations can implement simplified protocols, such as single sign-on (SSO) systems, which reduce the need for multiple login credentials while maintaining robust security standards.
Another effective approach is the adoption of automated threat detection systems, which minimize the manual intervention required to monitor and mitigate risks. According to Willie reducing unnecessary alerts and prioritizing high-risk notifications significantly alleviates the burden on cybersecurity teams [21]. For example, advanced threat detection algorithms can filter out low-priority notifications, enabling employees to focus on genuine threats that require immediate attention. Additionally, extending the validity period for secure credentials can decrease the frequency of password updates, further reducing administrative overhead. By streamlining these processes, organizations not only improve employee engagement but also enhance operational efficiency. This simplification aligns with best practices in cybersecurity while ensuring that employees remain effective and motivated in their roles.
Human resources (HR) departments play a critical role in mitigating cybersecurity fatigue by fostering a workplace culture that prioritizes employee well-being. HR-driven initiatives such as stress management training, resilience-building programs, and flexible work arrangements provide employees with the tools and support needed to navigate the demands of cybersecurity roles effectively [22]. Nobles underscores the importance of integrating mental health resources into organizational policies, including access to counseling services, stress-reduction workshops, and periodic mental health days [2]. These resources help employees manage the psychological toll of high-stakes cybersecurity tasks while reducing the stigma associated with seeking mental health support.To address workload-related fatigue, HR departments can implement rotational shifts for cybersecurity teams. This approach ensures that no employee is constantly “on call,” distributing responsibilities equitably across the team. By prioritizing work-life balance and fostering an open dialogue about stress, organizations can create an environment where employees feel supported and valued [23]. This proactive approach not only reduces burnout but also enhances overall job satisfaction and retention.
Leveraging automation technologies offers significant potential for reducing the cognitive burden on cybersecurity professionals. AI-driven threat detection systems and automated compliance monitoring tools can handle routine, repetitive tasks, allowing employees to focus on complex vulnerabilities that require human expertise. For instance, Mittu and Lawless highlight that automating activities such as log monitoring, patch management, and initial threat assessments frees up valuable time and reduces mental strain [24]. In highly regulated sectors like finance and healthcare, where cybersecurity demands are relentless, automation ensures that critical tasks are completed efficiently and accurately. Machine learning algorithms further enhance these systems by identifying and prioritizing potential threats based on risk levels. These technologies enable cybersecurity teams to allocate resources strategically, ensuring that high-risk vulnerabilities are addressed promptly while minimizing the cognitive demands on employees. As a result, organizations can achieve greater resilience without overburdening their workforce.
Mental health initiatives and digital detox programs are essential for addressing the psychological impact of cybersecurity fatigue. Digital detox practices, such as limiting after-hours cybersecurity demands and scheduling dedicated “no-tech” periods, provide employees with opportunities to recover from the constant engagement required in cybersecurity roles [1]. Organizations that integrate mindfulness programs, relaxation techniques, and resilience training into their workplace culture have reported significant reductions in burnout and improved overall employee well-being [5]. These programs help employees develop coping mechanisms for managing stress and maintaining focus under pressure. Comprehensive wellness programs that include access to mental health counseling and stress-reduction activities further enhance employees' ability to navigate cybersecurity challenges effectively [25]. By prioritizing mental health, organizations create a more supportive environment that fosters both individual well-being and collective productivity. These efforts not only improve employee outcomes but also contribute to a more engaged and resilient workforce, capable of meeting the demands of an increasingly digital landscape. By implementing these mitigation strategies, organizations can address the root causes of cybersecurity fatigue and create a healthier, more sustainable approach to managing security demands. These interventions, when applied cohesively, enable organizations to balance operational efficiency with employee well-being, ultimately enhancing both individual and organizational performance.
Case examples of cybersecurity incidents
The WannaCry ransomware attack of 2017 marked a pivotal moment in the history of cybersecurity, affecting over 200,000 systems worldwide and causing widespread disruption, particularly in critical infrastructure sectors such as healthcare. The malware’s rapid propagation underscored significant vulnerabilities, particularly those stemming from delayed system updates and insufficient preparedness among cybersecurity teams. In the aftermath of WannaCry, it became evident that fatigue among cybersecurity personnel played a critical role in the slow and often ineffective response to such crises. Employees tasked with managing the incident faced overwhelming cognitive demands, exacerbated by the urgency and high stakes of the situation. This highlighted the pressing need for proactive measures, including the automation of patch management processes and regular resilience training for cybersecurity professionals to enhance their capacity to respond effectively under pressure [26].
The SolarWinds breach in 2020 further demonstrated the challenges associated with managing large-scale cyber incidents. This attack revealed vulnerabilities in software supply chains, impacting both government and private sector organizations. The breach’s complexity and the vast scope of its consequences placed immense pressure on cybersecurity teams, many of whom worked tirelessly under extreme conditions to contain the fallout. The intense demands of this crisis likely amplified fatigue and increased the risk of errors, further complicating response efforts. The SolarWinds case brought attention to the critical role of human resources in mitigating the psychological toll on cybersecurity teams. Organizations must prioritize mental health support, balanced workloads, and clear communication strategies during high-stress scenarios to ensure that employees remain effective and resilient [27].
Similarly, the T-Mobile data breach of 2023 served as a stark reminder of how human factors intersect with technical vulnerabilities in cybersecurity. Affecting the personal information of over 37 million customers, this breach exposed lapses in protocol adherence and response mechanisms. These shortcomings were likely exacerbated by employee disengagement and fatigue, stemming from the repetitive and high-pressure nature of cybersecurity tasks. The incident underscored the importance of implementing simplified security protocols and fostering organizational support to mitigate the cognitive demands placed on cybersecurity professionals. Measures such as prioritizing critical alerts, automating routine tasks, and creating a supportive work environment can significantly enhance the ability of teams to manage complex security challenges effectively [28].
Collectively, these cases highlight the intricate interplay between human factors and technical vulnerabilities in cybersecurity. They underscore the need for a holistic approach to cybersecurity management that extends beyond technical solutions to include organizational policies and employee well-being. By addressing the cognitive and emotional toll of cybersecurity tasks through proactive interventions and supportive workplace practices, organizations can strengthen both their security posture and the resilience of their workforce. These lessons emphasize the importance of viewing cybersecurity fatigue not merely as a byproduct of operational demands but as a critical risk factor that must be managed with equal urgency and strategic focus.
Gaps and future directions
Despite increasing recognition of cybersecurity fatigue as a significant workplace challenge, several critical gaps remain in the literature. This study highlights the adverse effects of cybersecurity fatigue on employee productivity and mental health, findings that align with prior research emphasizing its psychological toll and operational consequences [2, 10]. However, much of the existing research focuses on immediate outcomes, such as compliance errors and operational inefficiencies, while neglecting the broader organizational implications and long-term effects of sustained exposure to cybersecurity demands. Our findings suggest that chronic exposure may lead to significant stress and burnout, underscoring the importance of longitudinal studies to evaluate the long-term impacts on employee well-being and organizational resilience.
Another gap lies in the lack of sector-specific analysis in the existing literature. Industries such as IT, finance, and healthcare face unique cybersecurity challenges, including strict regulatory requirements like GDPR and HIPAA, as well as heightened operational complexities [2, 8]. These sectoral differences are often overlooked in generalized studies, leaving organizations without tailored strategies to address their unique challenges. This study’s findings demonstrate varying levels of cybersecurity fatigue across sectors, further emphasizing the need for industry-specific recommendations to mitigate its impact effectively.
In addition to sectoral gaps, research on mitigation strategies remains fragmented. While various interventions—such as automation, digital detox initiatives, and mental health support programs—have been proposed [1, 24], few studies explore how these strategies interact to provide comprehensive relief from cybersecurity fatigue. Our results indicate that combining strategies, such as simplifying protocols alongside mental health support, can significantly reduce fatigue. However, the scalability and adaptability of these integrated approaches remain underexplored, particularly for organizations with limited financial and technical resources. Cost-effectiveness is an especially pressing issue for small and medium-sized enterprises (SMEs), where expensive cybersecurity solutions may not be viable [12, 26].
Lastly, addressing cybersecurity fatigue requires greater multidisciplinary collaboration. Existing research often isolates technical, psychological, and organizational perspectives, leading to a fragmented understanding of the issue. This study highlights the interplay between these factors and supports the need for collaborative efforts involving cybersecurity experts, HR professionals, and psychologists. Such partnerships can drive innovation in developing robust, evidence-based frameworks to mitigate cybersecurity fatigue in diverse organizational contexts [10, 13]. By addressing these gaps, future research can contribute to a more comprehensive understanding of cybersecurity fatigue and provide actionable insights to enhance organizational resilience and employee well-being in an increasingly digitized landscape.
Hypothesis development
The hypotheses in this study are anchored in Burnout Theory and supported by empirical findings from research on cybersecurity fatigue, employee productivity, and mental health. Burnout Theory posits that prolonged exposure to high-stress environments leads to emotional exhaustion, depersonalization, and reduced personal accomplishment [3]. These dimensions of burnout are particularly relevant in the context of cybersecurity fatigue, a phenomenon driven by persistent cognitive and emotional demands [2].
Hypothesis 1
Employees with a high frequency of exposure to cybersecurity alerts and protocols experience significantly higher levels of fatigue compared to employees with a lower frequency of exposure.
This hypothesis is rooted in Burnout Theory, which highlights how continuous job stressors contribute to emotional exhaustion. Frequent exposure to cybersecurity protocols, such as managing alerts and adhering to compliance tasks, imposes significant cognitive loads on employees, leading to fatigue. Studies by Nobles [2] and Reeves et al [10]. confirm this relationship, demonstrating that repetitive security demands and alerts increase the risk of fatigue [1]. Dykstra and Paul further validate this by showing that “"alert fatigue” desensitizes employees, reducing their ability to respond effectively to genuine threats [16]. This aligns with the cognitive overload central to Burnout Theory.
Hypothesis 2
Cybersecurity fatigue will result in a decrease in employee productivity due to increased errors and reduced work efficiency.
According to Burnout Theory, emotional exhaustion impairs an individual's capacity to perform work effectively, leading to diminished productivity. Empirical evidence supports this hypothesis: He and Zhang identify that cognitive strain from cybersecurity tasks increases error rates and reduces task performance [18]. Nobles and Kim and Kim also highlight that fatigue-driven disengagement and mental strain reduce focus and efficiency, consistent with the outcomes of emotional exhaustion described in Burnout Theory [2, 8]. The findings of Singh et al. further demonstrate that high-stakes cybersecurity tasks exacerbate these productivity challenges, particularly in environments requiring continuous vigilance [5].
Hypothesis 3
There is a strong correlation between cybersecurity fatigue and mental health problems, such as increased levels of stress, anxiety, and burnout.
Burnout Theory emphasizes the psychological toll of sustained workplace stress, which manifests as anxiety, stress, and eventual burnout. This hypothesis is supported by findings from Nobles who link cybersecurity fatigue to heightened psychological distress among employees [2]. Dwarakanath, Ravi, and Vijayakumar also demonstrate that the high-pressure nature of cybersecurity roles contributes to chronic anxiety and stress [29]. Maslach’s dimensions of burnout provide a theoretical foundation for understanding how prolonged exposure to demanding tasks in cybersecurity leads to emotional exhaustion and psychological distress.
Hypothesis 4
Digital detox initiatives, such as limiting after-hours cybersecurity alerts and simplifying security protocols, are effective in reducing employee fatigue and improving mental well-being.
This hypothesis builds on Burnout Theory's recommendation to manage job demands and provide recovery opportunities. Studies by Reeves et al. demonstrate that digital detox practices, such as restricting after-hours tasks, alleviate stress and reduce emotional exhaustion [1]. Mittu and Lawless advocate for the use of automation in cybersecurity to offload repetitive tasks, helping reduce cognitive strain and allowing employees to recover [24]. These strategies align with Burnout Theory's focus on creating opportunities for mental recovery to prevent burnout.
Hypothesis 5
Access to mental health resources mitigates the effects of cybersecurity fatigue on productivity and mental health.
Burnout Theory suggests that adequate resources, such as mental health support, buffer the negative effects of workplace stress. He and Zhang provide empirical evidence showing that access to counseling services and stress-management programs significantly reduces burnout and improves productivity [18]. Nobles emphasizes the importance of integrating mental health resources into organizational policies to help employees navigate the psychological demands of cybersecurity roles [2]. These findings reinforce the need for organizational initiatives to counteract the mental health challenges associated with cybersecurity fatigue.
The hypotheses in this study are firmly grounded in Burnout Theory and validated by recent empirical findings from studies on cybersecurity fatigue, productivity, and mental health. Figure 1 presents the conceptual model, which illustrates how frequent exposure to cybersecurity protocols (H1) leads to increased fatigue, correlates with mental health challenges such as stress and burnout (H3), and negatively impacts productivity through increased errors and reduced efficiency (H2). The model also demonstrates the moderating effects of digital detox initiatives (H4) and access to mental health resources (H5) in mitigating these impacts, fostering employee well-being and organizational resilience.
Fig. 1.
Conceptual model of cybersecurity fatigue, mental health, and employee productivity
Methodology
Research design
This study utilized a quantitative research design to examine the relationships between cybersecurity fatigue, employee productivity, and mental health. The design was guided by the objective of understanding how the frequency and complexity of cybersecurity protocols impact employees' psychological well-being and work performance across multiple sectors. The data were collected through a structured survey that aligned with validated constructs for each of the study variables: cybersecurity fatigue, productivity, and mental health. To ensure the findings are robust, the research design also incorporated statistical power analysis and stratified sampling techniques to maintain representativeness and reliability. The structured nature of the survey facilitated consistent responses while allowing for meaningful statistical analysis of the hypothesized relationships between the variables.
Sample and sampling method
The target population consisted of employees from finance, healthcare, IT, and education sectors, which are characterized by high cybersecurity demands and frequent exposure to security protocols. These industries were chosen due to their critical reliance on robust cybersecurity systems to safeguard sensitive data and comply with stringent regulatory frameworks. The sample size was determined through statistical power analysis to ensure the detection of meaningful relationships between the study variables. This analysis assumed a medium effect size (Cohen’s f = 0.30), a power level of 0.80, and a significance level (α) of 0.05, resulting in a minimum required sample size of 350 participants. The final sample included 351 participants, meeting these criteria and ensuring reliable and generalizable results.
A stratified sampling method was utilized to adequately represent the diversity within the target population. The population was divided into strata based on the sector of employment (finance, healthcare, IT, and education). Participants within each stratum were selected randomly to minimize bias and achieve proportional representation across these sectors. For instance, employees from the IT sector comprised approximately 20% of the total sample, reflecting the prevalence of cybersecurity roles within this industry.
To qualify for participation, employees were required to meet the following criteria:
Minimum Experience: At least six months of experience in roles involving regular interaction with cybersecurity protocols.
Relevance of Job Tasks: Responsibilities including managing alerts, handling compliance requirements, and maintaining secure systems.
Sector Representation: Employment in one of the targeted high-demand sectors.
These criteria ensured that participants had sufficient exposure to cybersecurity challenges to provide valuable insights into cybersecurity fatigue. In cases where access to participants was restricted, convenience sampling was employed as a supplementary method. For instance, in sectors with strict organizational policies, convenience sampling enabled the inclusion of eligible participants who could not be reached through stratified sampling. This reliance on convenience sampling is acknowledged as a limitation and is further discussed in the limitations section of this study.
A pilot study was conducted with 40 participants to test the reliability, clarity, and validity of the survey instruments used in this research. The pilot sample was representative of the target population, including employees from finance, healthcare, IT, and education sectors.
Data collection and measurement
The study relied on self-reported measures due to the challenges associated with collecting real-time objective data across diverse industries. To mitigate this limitation, validated scales were employed to ensure the reliability and consistency of the findings. Future research could benefit from combining self-reported and objective measures to provide a more comprehensive analysis. It consisted of four main sections:
Demographics: Collected information on participants' age, gender, job role, industry sector, and years of experience to account for variations in cybersecurity exposure.
Cybersecurity Fatigue (Independent Variable): Measured using an adapted version of the Cybersecurity Fatigue Scale (CFS) [2, 29]. Items assessed cognitive overload, emotional exhaustion, and the frequency of exposure to security alerts. Responses were recorded on a five-point Likert scale (1 = strongly disagree, 5 = strongly agree). Reliability analysis showed strong internal consistency (Cronbach’s Alpha = 0.930; Composite Reliability (CR) = 0.929; Average Variance Extracted (AVE) = 0.652).
Mental Health (Dependent Variable): Evaluated using the Maslach Burnout Inventory (MBI) (Maslach), which measured stress, anxiety, and burnout across emotional exhaustion, depersonalization, and personal accomplishment dimensions [3]. Reliability metrics confirmed robustness (Cronbach’s Alpha = 0.703; CR = 0.946; AVE = 0.687).
Productivity (Dependent Variable): Assessed using items adapted from the Work Limitations Questionnaire (WLQ) [18, 19] focusing on self-reported task completion, error rates, and work efficiency. The scale demonstrated strong reliability (Cronbach’s Alpha = 0.777; CR = 0.925; AVE = 0.712).
The survey underwent a pilot test with 40 participants to ensure clarity, reliability, and alignment with the study objectives. Based on feedback, ambiguous items were rephrased, and scales were refined for consistency.
Pilot study and measurement validity
A pilot study was conducted with 40 participants to test the reliability, clarity, and validity of the survey instruments used in this research. The pilot sample was representative of the target population, including employees from finance, healthcare, IT, and education sectors. The results of the pilot study are summarized below:
The internal consistency of the constructs was assessed using Cronbach’s Alpha. All constructs demonstrated acceptable reliability, with values exceeding the recommended threshold of 0.70, as shown in Table 1.
Table 1.
Pilot study reliability results
| Construct | Cronbach’s Alpha | |
|---|---|---|
| Cybersecurity fatigue | 0.910 | |
| Mental health | 0.895 | |
| Productivity | 0.879 | |
Participants provided feedback on the survey’s structure, clarity, and ease of understanding. Minor revisions were made to improve wording and eliminate ambiguous items. For example:
Items referring to “security protocols” were rephrased to include specific examples (e.g., “multi-factor authentication” and “system alerts”).
Instructions were simplified to ensure consistency in responses.
Convergent validity was supported by the strong internal consistency of constructs, as reflected in the Composite Reliability (CR) values, which all exceeded 0.70. The Average Variance Extracted (AVE) for all constructs was above 0.50, indicating adequate convergent validity. Additionally, the discriminant validity was preliminarily assessed, with results consistent with the full data set findings. The results are demonstrated in Table 2.
Table 2.
Pilot study validity results
| Construct | Composite reliability (CR) | Average variance extracted (AVE) |
|---|---|---|
| Cybersecurity fatigue | 0.927 | 0.652 |
| Mental health | 0.933 | 0.687 |
| Productivity | 0.912 | 0.712 |
The pilot study confirmed that the survey instruments were reliable and valid for the study's objectives, providing a solid foundation for the full-scale data collection.
Data collection
The finalized survey was distributed electronically through email and professional networking platforms, such as LinkedIn. To ensure adequate representation across sectors, survey links were specifically distributed to employees in finance, healthcare, IT, and education industries. Participation was voluntary, and responses were anonymized to protect participants’ privacy. The survey remained open for two months, with periodic reminders sent to maximize response rates. A total of 351 valid responses were collected, meeting the sample size requirement determined through statistical power analysis.
Data analysis techniques
The study employed multiple statistical techniques to rigorously analyze the relationships between cybersecurity fatigue, employee productivity, and mental health. These methods were carefully selected to ensure robust testing of the hypotheses and accurate interpretation of results.
Descriptive statistics provided an overview of the dataset, summarizing demographic characteristics and the distributions of key variables such as cybersecurity fatigue, mental health, and productivity. Measures like means, standard deviations, and frequencies highlighted initial trends. For instance, participants reported a mean cybersecurity fatigue score of 3.6 (SD = 0.8), with healthcare professionals reporting the highest levels of fatigue. Mental health scores averaged 3.2 (SD = 0.9), reflecting moderate levels of stress and burnout, while productivity scores varied across sectors, with IT professionals achieving higher task completion rates compared to finance and healthcare employees. These descriptive findings offered foundational insights into how cybersecurity demands affect employees across industries.
To further explore these relationships, Spearman’s correlation coefficient was employed. This non-parametric method was chosen due to evidence of non-normal data distribution, as indicated by the Shapiro–Wilk test (p < 0.05). Spearman’s correlation effectively measured monotonic relationships between variables, revealing significant associations. Cybersecurity fatigue positively correlated with mental health challenges (ρ = 0.56, p < 0.01), indicating that higher fatigue levels were associated with increased stress and burnout. Conversely, a negative correlation emerged between cybersecurity fatigue and productivity (ρ = − 0.41, p < 0.01), suggesting that fatigue reduced work efficiency. These findings validated the hypothesized relationships, demonstrating the critical impact of cybersecurity fatigue on employee outcomes.
Multiple regression analysis quantified the predictive power of cybersecurity fatigue on mental health and productivity while controlling for industry, job position, and years of experience. The results confirmed that cybersecurity fatigue significantly predicted increased stress and burnout (β = 0.52, p < 0.01), explaining 27% of the variance in mental health outcomes (R2 = 0.27). Similarly, fatigue was a significant predictor of lower productivity scores (β = − 0.38, p < 0.01), accounting for 18% of the variance (R2 = 0.18). These regression results highlighted the direct effects of cybersecurity fatigue on both mental health and productivity, supporting the theoretical framework and hypotheses.
Moderation analysis was conducted to assess whether contextual factors, such as industry or job role, influenced the strength of the relationships between cybersecurity fatigue and the outcomes. This analysis revealed that the negative relationship between cybersecurity fatigue and productivity was stronger in high-security industries like IT and finance (β = − 0.45, p < 0.05) compared to education (β = − 0.22, p < 0.05). Additionally, employees in managerial roles reported lower fatigue levels than technical staff, suggesting a buffering effect of role-based responsibilities. These findings underscored the importance of considering contextual variables when evaluating the effects of cybersecurity fatigue.
Structural Equation Modeling (SEM) was employed to test the direct, indirect, and moderating effects of cybersecurity fatigue on mental health and productivity. SEM was conducted using SmartPLS 4.0, which is well-suited for analyzing latent variables and complex relationships. The model assessed the direct impact of cybersecurity fatigue on mental health and productivity, as well as the mediating role of mental health and the moderating effect of mitigation strategies like digital detox initiatives. Model fit indices, including CFI (0.95), TLI (0.93), RMSEA (0.04), and SRMR (0.048), demonstrated the validity of the SEM model.
The SEM results reinforced the findings of previous analyses. Cybersecurity fatigue had a significant direct effect on mental health (β = 0.47, p < 0.01) and productivity (β = − 0.35, p < 0.01). Mental health partially mediated the relationship between fatigue and productivity, with an indirect effect (β = − 0.18, p < 0.05). Moreover, mitigation strategies significantly moderated the relationship between fatigue and mental health, reducing its negative impact (β = − 0.25, p < 0.01). These findings provided robust evidence for the hypothesized relationships and emphasized the importance of strategic interventions.
The data analyses were conducted using SPSS 26.0 and SmartPLS 4.0. SPSS was used for descriptive statistics, correlation, and regression analyses, offering reliable tools for hypothesis testing. SmartPLS was employed for SEM due to its capacity to handle latent constructs and test complex models, particularly those involving interaction effects and indirect pathways.
These analytical techniques collectively offered a comprehensive understanding of the relationships among cybersecurity fatigue, mental health, and productivity, while also highlighting the role of contextual and mitigating factors. The findings underscore the critical need for targeted interventions to address cybersecurity fatigue and its adverse effects.
Ethical considerations
The study adheres to strict ethical guidelines to ensure the protection and privacy of all participants. The following ethical considerations were implemented throughout the research process. Participants were fully informed about the purpose, scope, and procedures of the study before their participation. An informed consent form was provided at the beginning of the survey, clearly explaining the nature of the study, the voluntary nature of participation, and the right to withdraw at any time without penalty. The form also detailed what the participants could expect in terms of the duration of the survey and how the data would be used. Only participants who provided their explicit consent by agreeing to the terms on the form were allowed to proceed with the survey. The confidentiality of participants' responses was a top priority. All data collected was anonymized to protect individual identities. Participant information, such as names or personal identifiers, was not recorded. Each participant was assigned a unique code to ensure that the data could not be traced back to them. The survey was conducted online, and the responses were stored securely in password-protected files. Only authorized researchers had access to the data, and all results were reported in aggregate form, ensuring that individual responses could not be identified. Prior to the commencement of data collection, the study received approval from Beykoz University Ethics Review Board to ensure that it met all ethical standards for research involving human participants. The board reviewed the study's methodology, informed consent procedures, and data handling processes to confirm that the study complied with ethical guidelines related to participant welfare and data privacy.
Results
This study aimed to explore the relationships among cybersecurity fatigue, employee productivity, and mental health across diverse sectors, including education, IT, finance, and healthcare. The analysis is based on survey responses from 351 participants, utilizing various statistical methods to test research hypotheses and validate key findings.
Data analysis and results
Descriptive statistics
The descriptive analysis provides an overview of the demographic characteristics of the participants and the distribution of key variables. The sample was diverse, representing a balanced distribution across sectors and roles:
Gender Distribution: 53% male and 47% female participants.
Sector Representation: IT (20.5%), healthcare (20.2%), finance (19.7%), and education (19.9%).
Experience Levels: Respondents with more than ten years of experience made up 20.5% of the sample, with others distributed across brackets ranging from less than one year to ten years.
Participants reported an average cybersecurity fatigue score of 3.6 (SD = 0.8), with healthcare professionals experiencing the highest levels. Mental health scores averaged 3.2 (SD = 0.9), and productivity scores varied significantly by sector, with IT professionals reporting the highest levels of task completion.
Correlation analysis
Spearman's correlation coefficient was employed to examine the relationships among the primary variables (cybersecurity fatigue, mental health, and productivity) and control variables (sector, job position, and years of experience). This non-parametric method was chosen due to the non-normal distribution of key variables, as confirmed by preliminary Shapiro–Wilk tests (p < 0.05). The results, presented in Table 3, reveal several significant associations:
Relationships Among Main Variables: Cybersecurity fatigue shows a significant negative correlation with productivity (ρ = − 0.48) and mental health (ρ = − 0.35), indicating that higher fatigue levels reduce work performance and well-being. Additionally, mental health is positively correlated with productivity (ρ = 0.42), suggesting that better mental health supports higher productivity.
Control Variables and Cybersecurity Fatigue: Employees in sectors with high cybersecurity exposure, such as IT and finance, reported greater levels of fatigue (ρ = 0.22), supporting sectoral differences in fatigue levels. Job position is negatively correlated with fatigue (ρ = − 0.19), implying that those in lower roles experience higher levels of fatigue, while years of experience is positively associated with reduced fatigue (ρ = 0.15), likely reflecting greater coping mechanisms among seasoned employees.
Control Variables and Mental Health: Years of experience has a positive association with mental health (ρ = 0.34), suggesting that more experienced employees may have better strategies for managing stress. However, sector shows a slight negative correlation with mental health (ρ = − 0.12), indicating that certain industries, such as IT or healthcare, may pose greater challenges to employee well-being.
Control Variables and Productivity: Job position demonstrates a moderate positive correlation with productivity (ρ = 0.30), suggesting that higher roles may involve greater resources or autonomy to mitigate fatigue. Similarly, years of experience positively influences productivity (ρ = 0.20), indicating that experienced employees are more effective at maintaining task performance.
Table 3.
Correlation analysis results
| Variable 1 | Variable 2 | Spearman correlation (ρ) |
|---|---|---|
| Cybersecurity fatigue | Mental health | − 0.35 |
| Cybersecurity fatigue | Productivity | − 0.48 |
| Cybersecurity fatigue | Sector | 0.22 |
| Cybersecurity fatigue | Job position | − 0.19 |
| Cybersecurity fatigue | Years of experience | 0.15 |
| Mental health | Productivity | 0.42 |
| Mental health | Sector | − 0.12 |
| Mental health | Job position | 0.28 |
| Mental health | Years of experience | 0.34 |
| Productivity | Sector | − 0.15 |
| Productivity | Job position | 0.30 |
| Productivity | Years of experience | 0.20 |
These findings highlight the importance of considering sectoral and individual differences when analyzing the impacts of cybersecurity fatigue.
Reliability and validity analysis
The reliability and validity of the measurement instruments were evaluated to ensure robustness:
Reliability: Cronbach’s Alpha values exceeded 0.7 for all constructs, indicating strong internal consistency.
Convergent Validity: Average Variance Extracted (AVE) values were above 0.5 for all constructs.
Discriminant Validity: The Fornell-Larcker Criterion and HTMT ratios confirmed adequate discriminant validity, as shown in Table 4.
Table 4.
Reliability and validity results
| Construct | Cronbach’s alpha | AVE | HTMT (Max) |
|---|---|---|---|
| Cybersecurity fatigue | 0.930 | 0.652 | 0.837 |
| Mental health | 0.703 | 0.687 | 0.704 |
| Productivity | 0.777 | 0.712 | 0.621 |
Hypotheses testing
Regression analysis
Regression analysis examined the predictive power of cybersecurity fatigue on mental health and productivity. The results, presented in Table 5 demonstrate significant relationships between the variables:
Table 5.
Regression analysis results
| Dependent variable | Intercept | Slope (Fatigue) | p-value | R2 |
|---|---|---|---|---|
| Productivity | 5.12 | − 0.45 | 0.002 | 0.36 |
| Mental Health | 4.87 | − 0.32 | 0.004 | 0.28 |
Structural equation modeling (SEM)
The SEM analysis further explored the interrelationships among the constructs. Model fit indices (CFI = 0.95, RMSEA = 0.04) confirmed the model's robustness, and the path coefficients supported the hypotheses, as shown in Table 6:
Table 6.
SEM Analysis Results
| Hypothesis | Path coefficient | p-value | R2 | Supported |
|---|---|---|---|---|
| H1: Fatigue → Mental Health | − 0.3611 | < 0.001 | 0.654 | Yes |
| H2: Fatigue → Productivity | − 0.5055 | < 0.001 | 0.928 | Yes |
| H3: Support → Productivity | 0.6218 | < 0.001 | 0.748 | Yes |
Figure 2 clarifies the relationships between the variables, making the statistical findings more accessible and understandable.
.Cybersecurity Fatigue → Mental Health: The scatter plot indicates a strong negative relationship between cybersecurity fatigue and employee mental health. As fatigue levels increase, mental health scores decrease, supporting the hypothesis that fatigue contributes to poor well-being.
Mental Health Support → Productivity: The second scatter plot highlights the positive impact of mental health support on productivity. Employees with greater access to mental health resources reported higher productivity levels.
Fig. 2.
Impact of cybersecurity fatigue and mental health support on employee well-being and productivity
Discussion
The purpose of this study was to examine the relationship between cybersecurity fatigue, employee productivity, and mental health across various sectors. By exploring the effects of frequent cybersecurity demands on employees' mental well-being and work performance, the study aimed to provide insights into how organizations can mitigate these impacts through targeted strategies like mental health support and digital detox initiatives. The key findings suggest that cybersecurity fatigue is significantly associated with increased stress, anxiety, and burnout, which, in turn, negatively affects employee productivity. Moreover, access to mental health resources and simplified security protocols were found to be effective in reducing the negative effects of fatigue on both mental health and work efficiency.
These results are significant because they highlight the growing concern around cybersecurity fatigue in modern organizations, particularly in industries where employees are constantly exposed to complex and demanding security measures. The study’s findings reinforce the need for a holistic approach that addresses not only the technical aspects of cybersecurity but also the human factors that contribute to fatigue. In this discussion, the implications of these findings will be explored beyond descriptive results, focusing on the unique contributions of the study to both theory and practice, and how these results may be generalizable to broader contexts, including international settings.
The study found a significant negative relationship between cybersecurity fatigue and employee mental health, with higher levels of fatigue correlating with increased stress, burnout, and anxiety. This aligns with Burnout Theory which posits that prolonged exposure to high-demand environments, particularly without adequate recovery or support, leads to emotional exhaustion and decreased well-being. The results confirm the findings of Reeves et al. who identified cognitive overload as a major contributor to mental health deterioration among employees subjected to continuous security alerts and tasks [10]. The study also echoes Nobles which highlighted the need for organizations to address human factors like stress to maintain security vigilance and overall mental health [2].
However, this study provides new insights by focusing specifically on cybersecurity fatigue, a subset of general workplace fatigue, as a critical factor in mental health decline. While previous research has linked general burnout to workplace demands, this study pinpoints the continuous exposure to cybersecurity protocols as a distinct source of cognitive overload, advancing the understanding of how cybersecurity-specific demands contribute to employee burnout. This adds a unique dimension to Burnout Theory, demonstrating that the effects of cybersecurity fatigue are not only emotional but also closely tied to the complexity and frequency of security tasks employees face.
The study's results also showed a strong negative relationship between cybersecurity fatigue and employee productivity, as evidenced by the correlation and regression analyses. Employees experiencing higher levels of fatigue reported lower work efficiency and increased error rates, supporting findings from Mailock Central and He and Zhang which noted that cognitive overload from cybersecurity tasks leads to decreased productivity [18, 19]. The results affirm previous studies that link mental strain and cognitive fatigue to increased workplace errors and reduced performance, particularly in high-stakes environments like IT and finance.
This study, however, expands on these previous findings by offering a more nuanced understanding of how cybersecurity fatigue specifically leads to decreased productivity. The focus on cybersecurity protocols—such as frequent alerts, complex authentication processes, and strict compliance measures—highlights how NIST employees' performance declines not merely due to general workplace stress but as a direct consequence of the constant mental load associated with cybersecurity demands [30]. By isolating cybersecurity fatigue as a distinct factor affecting productivity, the study provides actionable insights for organizations looking to improve performance by streamlining security processes and offering cognitive relief.
The findings of the study also indicate that mental health support plays a significant moderating role in reducing the negative impact of cybersecurity fatigue on productivity. Employees who had access to mental health resources—such as counseling services, stress management programs, and digital detox initiatives—reported higher productivity levels despite experiencing cybersecurity fatigue. This supports the quantitative evidence, as shown in the regression analysis, where employees with mental health support were able to maintain better work efficiency compared to those without access to such resources.
These findings have practical implications for human resource practices and organizational interventions. By recognizing that cybersecurity fatigue is not just a technical problem but also a human factors issue, organizations can implement targeted strategies to mitigate its impact. Mental health support programs, combined with simplified security protocols, can significantly improve both employee well-being and productivity.
Contributions and implications
This study makes unique contributions to Burnout Theory by specifically connecting cybersecurity fatigue to traditional notions of burnout, particularly within sectors such as IT, finance, and healthcare. While Burnout Theory primarily focuses on emotional exhaustion resulting from overwhelming workplace demands, this study introduces cybersecurity fatigue as a distinct contributor to burnout. Continuous exposure to repetitive, complex cybersecurity protocols—such as frequent system updates, multi-factor authentication, and security compliance measures—adds a unique cognitive burden on employees. The findings reveal that cybersecurity fatigue leads to similar emotional exhaustion and mental strain as conventional burnout but is specific to the security challenges faced in high-demand sectors where vigilance is constant, and the stakes of failure are high.
Furthermore, the study extends current knowledge by clarifying the link between cybersecurity fatigue and employee well-being (increased stress, anxiety, burnout) as well as work performance (reduced productivity and increased error rates). This research provides a more nuanced understanding of how sector-specific cybersecurity demands exacerbate burnout risks. It positions cybersecurity fatigue as a critical component of burnout that directly affects not only emotional well-being but also employees’ ability to perform their roles effectively, especially when faced with the continuous mental load of adhering to security requirements.
The practical implications of this study are highly relevant for organizations globally, particularly in sectors that impose heavy cybersecurity demands. The findings suggest that simplifying cybersecurity protocols and integrating mental health support are effective strategies to mitigate cybersecurity fatigue and improve both employee well-being and productivity. For instance, organizations can reduce cognitive overload by simplifying procedures such as multi-factor authentication (MFA). Instead of requiring MFA for every login, organizations could apply it only to higher-risk tasks or less frequently used systems. Similarly, limiting security alerts to only those that are critical can prevent employees from feeling overwhelmed by unnecessary notifications. By automating routine tasks like password management or security scans, employees can focus on higher-value work without being burdened by repetitive, low-level security tasks.
Additionally, reducing the frequency of forced password changes—a common cybersecurity requirement—can alleviate unnecessary frustration and cognitive load. Research has shown that frequent password resets, especially when combined with complex password creation rules, contribute to mental fatigue and disengagement. Organizations can maintain security standards by implementing more user-friendly security measures like single sign-on (SSO) or biometric authentication while reducing the strain on employees.
Moreover, the study emphasizes the importance of providing mental health support to combat the effects of cybersecurity fatigue. Organizations should consider offering counseling services, resilience training, and stress management programs as part of a broader effort to safeguard employees' mental health. For example, introducing digital detox initiatives—such as periods where employees are not required to engage with security tasks outside of working hours—can help employees recover from the mental demands of constant security vigilance. In industries where cybersecurity demands are relentless, such as IT and healthcare, these initiatives can significantly reduce stress, enhance well-being, and maintain productivity over the long term.
These practical measures can also inform policy development in organizations. As cybersecurity challenges continue to grow, companies may need to formalize policies that promote work-life balance and provide structured mental health support, particularly for employees in cybersecurity-intensive roles. For instance, companies can adopt policies that limit after-hours cybersecurity tasks and ensure that on-call responsibilities are rotated among team members to prevent burnout. Providing flexible working arrangements, such as hybrid schedules, can further help employees manage their cybersecurity responsibilities without feeling overwhelmed by constant demands.
Generalizability of findings
The study's findings are highly relevant to organizations worldwide due to the universal challenges associated with cybersecurity demands and the impact on employee well-being. Industries across different regions face increasing pressures to comply with stringent cybersecurity regulations and protect sensitive data, leading to heightened levels of cybersecurity fatigue among employees.For example, regulatory frameworks such as the General Data Protection Regulation (GDPR) in Europe, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and similar data protection laws in other countries impose strict requirements on data security. These regulations mandate rigorous security protocols, continuous monitoring, and rapid response to security incidents, which contribute to the cognitive and emotional burden on employees responsible for compliance.
Furthermore, the global shift towards remote and hybrid work models has intensified cybersecurity demands across organizations. Employees are required to follow complex security protocols, such as using virtual private networks (VPNs) and multi-factor authentication, while working from home or other remote locations. This shift has increased the potential for cybersecurity fatigue due to the blurring of boundaries between work and personal life and the constant need to remain vigilant against cyber threats.The findings from this study, emphasizing the importance of digital detox initiatives and simplified protocols, are applicable to organizations navigating these challenges globally. By simplifying security tasks, automating repetitive processes, and providing mental health support, organizations can mitigate cybersecurity fatigue, thereby enhancing employee well-being and maintaining productivity.Industries such as healthcare, finance, and critical infrastructure, regardless of geographical location, can benefit from implementing the study's recommendations. Addressing cybersecurity fatigue is crucial for maintaining a resilient workforce capable of effectively managing the evolving landscape of cyber threats.
Conclusion
This study examined the relationship between cybersecurity fatigue, employee productivity, and mental health, focusing on the high-security sectors of information technology (IT), finance, healthcare, education. The sample was drawn from these sectors due to their unique cybersecurity demands, including stringent regulatory requirements, complex compliance protocols, and the critical nature of their operations. The findings provide critical insights into how frequent exposure to complex cybersecurity protocols negatively impacts employees’ mental well-being and work performance. By analyzing sector-specific data, this research highlights the significant toll that sustained cybersecurity demands impose on employees, underscoring the importance of tailored strategies to address these challenges.
The results revealed that cybersecurity fatigue is significantly associated with increased stress, anxiety, and burnout, confirming the predictions of Burnout Theory. Spearman correlation analysis demonstrated a positive relationship between cybersecurity fatigue and mental health challenges (ρ = 0.56, p < 0.01), highlighting that higher fatigue levels exacerbate emotional exhaustion and reduce employees' capacity to cope with workplace demands. Similarly, regression analysis revealed that cybersecurity fatigue was a significant predictor of mental health deterioration (β = 0.52, p < 0.01), accounting for 27% of the variance in stress and burnout levels. These findings echo prior research that underscores the critical role of emotional exhaustion in workplace outcomes [31]. Such insights highlight the psychological toll of cybersecurity fatigue, particularly in industries where vigilance and compliance are paramount.
The study also found a strong negative relationship between cybersecurity fatigue and employee productivity. Spearman correlation analysis identified a significant negative association between fatigue and productivity (ρ = − 0.41, p < 0.01), while regression results indicated that fatigue significantly reduced work efficiency (β = − 0.38, p < 0.01), accounting for 18% of the variance in productivity outcomes. Employees experiencing heightened fatigue reported greater error rates, delays in task completion, and difficulty maintaining focus. These findings align with research on how psychological well-being and exhaustion impact workplace creativity and effectiveness [32]. High cognitive demands caused by repetitive alerts, complex compliance procedures, and strict authentication requirements appear to undermine not only productivity but also the innovative capacity of fatigued employees.
A key finding of the study was the mitigating role of mental health support initiatives. Employees with access to resources such as counseling services, resilience training, and stress management programs exhibited better mental health and productivity outcomes despite experiencing cybersecurity fatigue. This aligns with evidence suggesting that psychological capital and well-being play a critical role in shaping employee attitudes and outcomes [33]. For instance, employees supported by mental health programs reported significantly higher productivity levels and reduced stress compared to their unsupported counterparts, as evidenced by interaction effects identified through Structural Equation Modeling (SEM). Simplified security protocols, such as minimizing unnecessary alerts, automating routine security tasks, and streamlining password management, were also shown to reduce cognitive overload and enhance employee efficiency.
From a theoretical perspective, this study extends Burnout Theory to cybersecurity contexts. Traditional applications of the theory focus on general workplace stress, while this research positions cybersecurity fatigue as a distinct form of burnout resulting from continuous exposure to technical, repetitive, and cognitively demanding security measures. The findings emphasize that cybersecurity fatigue not only leads to emotional exhaustion but also undermines employees’ ability to perform effectively, adding a new dimension to the understanding of burnout in specialized workplace environments.
Practically, the findings provide actionable recommendations for organizations. Simplified security measures—such as adopting single sign-on (SSO) systems, reducing the frequency of password updates, and prioritizing high-risk notifications—can significantly alleviate the burden on employees. Additionally, digital detox initiatives, such as limiting after-hours cybersecurity demands, provide employees with the necessary recovery time to mitigate fatigue. These strategies offer a roadmap for organizations seeking to balance cybersecurity demands with employee well-being. Supporting employees through targeted mental health programs and fostering psychological resilience can also enhance organizational outcomes, as evidenced in prior studies [34].
Despite its contributions, the study has limitations. The reliance on self-reported data to measure cybersecurity fatigue, productivity, and mental health may introduce reporting biases. Future research should incorporate objective metrics, such as task error rates or biometric indicators of stress (e.g., cortisol levels, heart rate variability), to enhance the robustness and validity of findings. Additionally, the sample was predominantly drawn from Turkiye, limiting the generalizability of results to regions with differing cultural and regulatory contexts. Advanced regulatory frameworks, such as GDPR in the European Union, may influence how cybersecurity fatigue manifests. Expanding the scope to include diverse and global participant bases will provide a more comprehensive understanding of this issue.
In conclusion, this study highlights the urgent need for organizations to address cybersecurity fatigue as a critical factor influencing employee mental health and productivity. By adopting holistic strategies that integrate mental health support, simplify security protocols, and reduce cognitive overload, organizations can better equip their workforce to handle the growing demands of cybersecurity. These measures not only enhance employee well-being but also improve organizational efficiency and resilience. Future research should explore the long-term impacts of these interventions, examine the role of organizational culture and leadership in managing fatigue, and investigate cross-country differences to provide a deeper understanding of this emerging issue.
Author contributions
F.M. coordinated the research process, contributed to data collection, conducted the analysis, and drafted the manuscript. As the lead author, F.M. oversaw the entire study, ensuring the research objectives were met and revisions were completed. H.D. developed the conceptual framework, designed the survey, and contributed to the methodological aspects of the study. H.D.’s expertise was instrumental in shaping the study’s direction and ensuring the validity of the research instruments. O.Y. performed the statistical analysis and interpreted the data, particularly focusing on the application of Structural Equation Modeling (SEM). O.Y.’s role was critical in ensuring the robustness of the quantitative findings. T.K. conducted the literature review, contributed to data collection, and refined the analysis. T.K. also provided valuable input into the discussion section, ensuring the findings were contextualized within existing research.
Data availability
The data that support the findings of this study are available at 10.5281/zenodo.13797614.
Declarations
Competing interests
The authors declare no competing interests.
Footnotes
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
- 1.Reeves A, Calic D, Delfabbro P. Sleeping with the enemy: does depletion cause fatigue with cybersecurity?. In HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Copenhagen, Denmark, July 19–24, 2020, Proceedings 22. Springer International Publishing; 2020. pp. 217–31.
- 2.Nobles C. Stress, burnout, and security fatigue in cybersecurity: a human factors problem. HOLISTICA J Bus Public Adm. 2022;13(1):49–72. [Google Scholar]
- 3.Maslach C. A multidimensional theory of burnout. Theor Organ Stress. 1998;68(85):16. [Google Scholar]
- 4.Edú-Valsania S, Laguía A, Moriano JA. Burnout: a review of theory and measurement. Int J Environ Res Public Health. 2022;19(3):1780. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5.Singh T, Johnston AC, D’Arcy J, Harms PD. Stress in the cybersecurity profession: a systematic review of related literature and opportunities for future research. Organ Cybersecur J Pract Process People. 2023;3(2):100–26. [Google Scholar]
- 6.RSM Global. Managing cybersecurity fatigue in a post-GDPR world. 2019. https://www.rsm.global/. Accessed 1 Aug 2024.
- 7.ESET. The new normal: remote work and the cybersecurity challenge. 2020. https://www.eset.com/blog/company/esets-response-to-covid-19-and-looking-ahead-to-the-future-of-work-3/. Accessed 1 Aug 2024.
- 8.Kim BJ, Kim MJ. The influence of work overload on cybersecurity behavior: a moderated mediation model of psychological contract breach, burnout, and self-efficacy in AI learning such as ChatGPT. Technol Soc. 2024;77:102543. [Google Scholar]
- 9.Paul CL, Dykstra J. Understanding operator fatigue, frustration, and cognitive workload in tactical cybersecurity operations. J Inform Warf. 2017;16(2):1–11. [Google Scholar]
- 10.Reeves A, Delfabbro P, Calic D. Encouraging employee engagement with cybersecurity: how to tackle cyber fatigue. SAGE Open. 2021;11(1):21582440211000050. [Google Scholar]
- 11.Almanza AR. Cybersecurity and burnout: the cybersecurity professional's silent enemy. ISACA. 2023. https://www.isaca.org. Accessed 9 Aug 2024.
- 12.Nepal S, Hernandez J, Lewis R, Chaudhry A, Houck B, Knudsen E, Czerwinski M. Burnout in cybersecurity incident responders: exploring the factors that light the fire. In: Proceedings of the ACM on Human-Computer Interaction. 2024;8(CSCW1):1–35.
- 13.Pittas D, Delfabbro P, Reeves A. How to De-CyFa the actor-observer bias in cybersecurity fatigue: building the CyFa measure of attribution styles and mitigation strategies. Comput Secur. 2024;150:104179. [Google Scholar]
- 14.Parker M. Burnout in information security: the case of healthcare. In: Douville S, editor. Advanced health technology. New Yor: Productivity Press; 2023. p. 121–70. [Google Scholar]
- 15.Pham HC, Brennan L, Furnell S. Information security burnout: identification of sources and mitigating factors from security demands and resources. J Inform Secur Appl. 2019;46:96–107. [Google Scholar]
- 16.Dykstra J, Paul CL. Cyber operations stress survey ({{{{{COSS)}}}}}: studying fatigue, frustration, and cognitive workload in cybersecurity operations. In: 11th USENIX Workshop on Cyber Security Experimentation and Test (CSET 18). 2018.
- 17.Furnell S, Stanton B, Theofanos MF, Prettyman S. Security Fatigue. In: Jajodia S, Samarati P, Yung M, editors. Encyclopedia of cryptography, security and privacy. Berlin: Springer; 2021. p. 7–11. [Google Scholar]
- 18.He W, Zhang Z. Enterprise cybersecurity training and awareness programs: recommendations for success. J Organ Comput Electron Commer. 2019;29(4):249–57. [Google Scholar]
- 19.Mailock Central. The impact of cybersecurity fatigue on productivity and mental health. Mailock Central. 2023. https://www.mailockcentral.com. Accessed 8 Sept 2024.
- 20.Stanton B, Theofanos MF, Prettyman S, Furman S. Security fatigue. IT Prof. 2016;18(5):26–32. 10.1109/MITP.2016.84. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 21.Willie MM. The role of organizational culture in cybersecurity: building a security-first culture. J Res, Innov Technol. 2023;2(4):179–98. [Google Scholar]
- 22.Hadlington L. Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon. 2017;3(7): e00346. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 23.Waddell M. Human factors in cybersecurity: designing an effective cybersecurity education program for healthcare staff. Healthc Manag Forum. 2024;37(1):13–6. [DOI] [PubMed] [Google Scholar]
- 24.Mittu R, Lawless WF. Human factors in cybersecurity and the role for AI. In: 2015 AAAI Spring Symposium Series. 2015.
- 25.EC-Council University. Integrating cybersecurity into HR practices: building resilient organizations. n.d. https://www.eccu.edu. Accessed 10 Sept 2024.
- 26.Mittal H. Software security: threats, solutions and challenges. Comput Softw Media Appl. 2024;6(1):3769. [Google Scholar]
- 27.ISACA. HR and cybersecurity: supporting each other in challenging times. 2020. https://www.isaca.org. Accessed 6 July 2024.
- 28.Firewall Times. T-mobile data breaches: full timeline through 2023. 2023. https://firewalltimes.com/t-mobile-data-breach. Accessed 1 June 2024.
- 29.Dwarakanath S, Ravi K, Vijayakumar R. A study on the emotions of an employee after a cyber security attack in their organization. 2022.
- 30.NIST. Incident response recommendations and considerations for cybersecurity risk management. 2024. https://www.nist.gov. Accessed 5 July 2024.
- 31.Parray ZA, Islam SU, Shah TA. Exploring the effect of workplace incivility on job outcomes: testing the mediating effect of emotional exhaustion. J Organ Effect People Perform. 2023;10(2):161–79. [Google Scholar]
- 32.Iqbal J, Aukhoon MA, Parray ZA. Thriving minds, thriving workplaces: unleashing creativity through psychological wellbeing and psychological capital. J Organ Effect People Perform. 2024. 10.1108/JOEPP-01-2024-0025. [Google Scholar]
- 33.Parray ZA, Shah TA, Islam SU. Psychological capital and employee job attitudes: the critical significance of work-life balance. Evid-Based HRM Glob Forum Empir Scholarsh. 2022;11(3):483–500. [Google Scholar]
- 34.Iqbal J, Parray ZA. Leading with integrity: illuminating the pathway to positive job outcomes through ethical leadership and CSR. Soc Responsib J. 2024. 10.1108/SRJ-08-2023-0464. [Google Scholar]
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.
Data Availability Statement
The data that support the findings of this study are available at 10.5281/zenodo.13797614.