Now and Later? Comparing a Nomothetic and Idiographic Analysis of Cybersecurity Fatigue

Abstract

From receiving phishing warnings to participating in required training sessions, today’s workers are inundated with a seemingly endless flow of cybersecurity-related activities. For some, this encumbrance can lead to feelings of fatigue, an increased susceptibility to ignore cybersecurity requirements, and engagement in workarounds. However, the extent that cybersecurity fatigue phenomena fluctuate over time remains unclear, despite the notable consequences for organizational risk. In response, we conducted a three-wave, repeated measures survey over a period of seven months, then compared the nomothetic (cross-sectional, between-person) results at wave 1 with the idiographic (longitudinal, within-person) results spanning waves 1-3. Together, the analysis reveals conflicting theoretical conclusions; namely, that only two of the four significant relationships at wave 1 were significant over waves 1-3. We draw on ego-depletion theory as a preliminary theoretical explanation for this finding and highlight paths for future inquiry.