Issue017 12 May 2026

Exhausted, Not Reckless

Amy Stokes-Waters 5 Minute Read

On why security fatigue is a design problem

Picture her for a moment… Fourth meeting of the day, half a sandwich on the desk, calendar a cliff face of fifteen minute blocks scheduled by someone who has never had to actually be in quick fire meetings all day… and on top of all of it, this morning, before the coffee even landed, a phishing test that pretended to be from HR. She failed it.

So now there is a thirty minute module queued up… and a follow-up email… and a ping on Teams from the security team that begins with the word “Hi” but means “we noticed.” There is also an actual email from a real supplier waiting for a real answer about a real invoice… and she has eleven minutes before the next meeting starts.

She is not reckless. She is at the edge of what is humanly possible to keep up with.

This is the part of the story the industry keeps misreading. The CybSafe Oh Behave report tells us that 43% of people have shared sensitive information with AI tools. And we hear that figure and we immediately reach for the same vocabulary we have been using for two decades. Reckless. Negligent. Risky behaviour. As if the people doing this are running on a completely different operating system to the rest of us… as if they wake up in the morning and decide… “ah, today, today is the day I am going to embarrass my employer.”

They are not.

Gartner found that 69% of employees bypassed cyber security policies in the last twelve months. Sixty nine percent. If two thirds of people are doing the thing the policy forbids, the issue has stopped being about the people. The policy is doing something the work cannot survive. The training that explains the policy is doing something attention cannot survive. The whole apparatus has been bolted onto the side of a working day that was already, before any of this arrived, running at 110% of capacity.

So, we have an interesting situation. The industry’s response to security fatigue is, almost without exception, more security content. Another module. Another reminder. Another carefully worded poster in the kitchen. The logic appears to be that if people are tuning out, the answer is to turn the volume up… which is the kind of thinking that would get you politely shown the door in any other branch of behavioural science but which seems to survive perfectly well inside ours. Decision fatigue is a real, measurable, and very well documented phenomenon. So is cognitive load. So is the slightly unflattering fact that the brain protects itself from saturation by simply switching the noisy thing off. Security has become the noisy thing.

And it gets worse. Yay!

The researchers at ETH Zurich looked at embedded remedial training.. i.e. the kind of thing that fires automatically after someone fails a phishing test… and found that it can actively make things worse. The people who fail the test, get the training, and then face the next test… can come with their guard lower than when they walked in. They’re not warier. Not sharper. They’re actually more clickable, not less. The intervention designed to fix the problem creates a thin layer of false security sitting on top of the original gap, and the next time a sophisticated lure arrives, the brain says we have done the training, we are fine, we know what we are doing, click.

Budget spent. Situation marginally worse.

This is the thing that ought to keep awareness practitioners up at night and largely does not. If your interventions cannot demonstrate that they leave people in a better behavioural position than before they arrived… the only honest answer is to stop delivering them. Volume is not the answer. Repetition is not the answer. Annual everything is definitely not the answer. The answer… and I know this sounds almost embarrassingly simple but the simple things are the ones we keep walking past… is to give people something worth paying attention to and then leave them the fuck alone for a bit.

Immersive learning works because it inverts the entire fatigue equation. Instead of demanding attention that has already been spent five times that day, it earns attention by creating real stakes inside a contained moment. A team working through an immersive scenario together is not being asked to absorb information. They are being asked to make decisions. The decisions have consequences. The consequences land in the room while they are sat next to the people they actually work with. The conversation afterwards uses the language of the experience rather than the language of the module… which is exactly how culture starts forming in the first place. Forty five minutes. One scenario. One conversation. Everyone walks away with something the brain agreed to keep… because the brain agreed it mattered.

And the rest of the time… they get to do their actual jobs.

There is a particular kind of intellectual courage required to look at a saturated workforce and decide the answer is less and not more. It runs against every instinct of an industry that measures itself by activity rather than outcome, by reach rather than retention, by the number of modules delivered rather than the number of behaviours actually changed. But the data has been telling us the same story for some time now, and the people in the seats have been telling us the same story for longer, and at some point we are going to have to admit that we are not training a population of careless idiots. We are training a population of exhausted adults who have other things to be getting on with.

The reckless framing was always a comfortable lie. It put the failure on the workforce, and it put the responsibility for fixing it on more of what was already not working. The truth is harder, and quieter, and a great deal cheaper. The system is producing exactly the behaviour the system is built to produce.

If we want different behaviour, we build a different system.

That's it for this week. Reply and tell me what you think.

Amy

Amy Stokes-Waters · Founder, The Cyber Escape Room Co.