Every October we run the same play: more "Cybersecurity Awareness" posters, more phishing tests, more slogans. And every October the metrics barely move.
But here's what's actually happening in executive meetings right now: CISOs are losing budget requests they would have won five years ago. Security recommendations that should be obvious are getting dismissed. Senior leaders who used to nod along to risk presentations are checking their phones.
It's time to admit the obvious. The awareness model we inherited doesn't work anymore—and new research now proves why.
More critically: this isn't just about training employees. It's about why executive leadership isn't listening to us.
The Research We Can't Ignore
A brand new study from the International Conference on Information Systems describes a phenomenon called "InfoSec Advice Fatigue." After analyzing 100 security advice articles and surveying 400 internet users, researchers discovered something that should concern every security leader:
InfoSec advice fatigue is defined as "an aversive motivational state of being exhausted and bored by overexposure to similar, redundant InfoSec advice over time."
Let that sink in. Aversive motivational state. This isn't about people being lazy or indifferent to security. It's a documented psychological response to environmental conditions—specifically, the overwhelming volume of security advice in today's landscape.
Desensitized. That's our executive team. That's our management. That's our staff.
Not because they're irresponsible, but because they're human beings responding normally to an abnormal amount of advice.
The Four Dimensions of Fatigue
The researchers identified four distinct dimensions that, together, explain why our carefully crafted recommendations are being ignored:
1. Perceived Overexposure to Security Messages (Just tooooo many)
The feeling of being exposed to security messages beyond desired frequency. When senior executives sigh at "another security presentation," they're not being difficult—they're experiencing genuine overexposure.
Think about it: quarterly presentations for years, monthly IT updates, vendor briefings, audit findings, compliance trainings, industry conference talks, news coverage of breaches. It never stops.
2. Perceived Redundancy (All of the messages seem to be the same)
The perception that messages are repetitive and overlapping. When our phishing awareness training sounds identical to last quarter's training, which echoed the vendor webinar, which repeated the compliance team's guidance, which mirrored the IT department's email—that's perceived redundancy.
Different sources, same message, over and over.
3. Exhaustion
Actual emotional burnout from security advice. This isn't metaphorical tiredness. Research participants reported genuine feelings of being "burned out" by security messages.
4. Tedium
Complete lack of enthusiasm for the topic. When someone says "not another security update," they're expressing tedium—and it's a documented response to advice saturation.
Together, these four dimensions create a psychological state where people mentally shut down when they encounter security advice—regardless of how important or well-crafted that advice might be.
Why This Matters More Right Now Than Ever Before
For fifteen years, we operated in what I call the "Blank Check Era."
Security was at the top of every company's risk register. Executive leadership understood the breach headlines. Point to the threat, get the funding. Use fear and uncertainty, and budgets materialized.
That era is over.
For the first time in a long time, cybersecurity budgets are being cut. CIOs and CFOs are no longer writing blank checks. The message is clear: "You've had fifteen years and unlimited resources. You should have figured this out by now."
And here's the connection to advice fatigue that most security leaders are missing:
Every quarterly "the threat landscape has evolved" presentation added to the redundancy. Every "critical security update" email increased the exhaustion. Every briefing about new attack vectors contributed to the overexposure. Every fear-based budget request generated more tedium.
We weren't wrong to use these approaches. The environment demanded them. But the accumulated effect—fifteen years of constant warnings—has created fatigued audiences across all levels of our organizations that can no longer process our messages effectively.
The research confirms what we've probably felt but couldn't articulate: our audiences aren't evaluating our current message in isolation. They're evaluating it in the context of every security message they've ever received. And that context is now saturated to the point of counterproductivity.
The Two Root Causes Creating This Crisis
The research identified two critical factors driving InfoSec Advice Fatigue—and both fundamentally challenge how we've been operating:
Cause 1: InfoSec Advice Communication Overload
Here's the brutal truth the research confirms: "No internet user has any real prospect of keeping up."
Think about the sources of security advice our audiences encounter:
- Our security teams
- IT departments
- Compliance officers
- HR security awareness programs
- External auditors
- Security vendors
- Industry associations
- Government agencies (CISA, FBI, DHS)
- Media coverage of breaches
- Conference presentations
- Webinars and training providers
Each source believes their advice is critical. Each produces content regularly. Many cover the same threats with slightly different language.
The result? A volume of advice that makes it impossible for anyone—from the front-line employee to the C-suite executive—to distinguish truly critical threats from background noise.
Our perfectly crafted, thoroughly researched, genuinely important security recommendations are competing with hundreds of other messages—and the audience's default response to that competition is disengagement.
Cause 2: InfoSec Advice "Malabsorption"
Even when people want to follow security advice, they often can't because they don't understand it.
The research documents this as "the inability of users to comprehend complex or inconsistent InfoSec advice."
One participant captured this perfectly: "Security advice uses a lot of big words."
When security advice is complex—filled with terms like "zero-trust architecture," "defense in depth," "threat surface reduction," "security posture improvement"—audiences expend enormous mental effort trying to understand. Eventually, they reach their limit and give up entirely.
The Psychological Mechanism That's Defeating Us
Here's what should concern every security leader: the research reveals exactly how advice fatigue destroys persuasion.
In the context of security advice, this manifests as:
- Categorizing advice as "unhelpful or unwarranted"
- Mentally dismissing recommendations as "not applicable to me"
- Characterizing security guidance as "fear-mongering" or "overreacting"
- Deciding that "nothing bad has happened yet, so it's probably fine"
This isn't conscious decision-making. It's a psychological defense mechanism against feeling overwhelmed.
And here's the critical insight: once audiences engage in emotion-focused coping, the quality of our message becomes irrelevant.
The research documents this as "disengagement with advice content regardless of the design of the content characteristics."
Read that again: regardless of content design.
We can have perfect technical analysis. Ironclad business justification. Clear ROI calculations. Concrete recommendations. And none of it matters if our audience has already mentally categorized our message as "more security noise I'm too tired to process."
This explains why brilliant security professionals—people with exceptional technical skills and genuine expertise—repeatedly fail to get buy-in for obviously necessary initiatives.
The problem isn't our competence. It's that we're trying to influence fatigued audiences without acknowledging or addressing that fatigue.
The Brutal Truth (And the Path Forward)
We created this problem. Our communication habits—volume over clarity, fear over confidence, compliance over curiosity—have trained our workforce and our leadership to tune us out.
But here's the good news: the research doesn't just document the problem. It points to specific solutions based on how human psychology actually works.
Over the coming days, I'll be breaking down the science-backed approaches that can break through advice fatigue:
Upcoming: Why abstract language fails and concrete language persuades—and the specific framework for translating our security recommendations to break through mental filters
Friday: The "Goldilocks Principle" of fear appeals—why too much fear and too little fear both fail, and how to calibrate emotional intensity for optimal persuasion
Monday: Standing out in the saturated advice environment—differentiation strategies that make our messages memorable when audiences have heard it all before
Tuesday: The complete framework that integrates all of these insights into a systematic approach we can use before every communication
Next Wednesday: Deep-dive newsletter with case studies, measurement tools, and the complete Pre-Communication Checklist
But let me give you a preview of what this looks like in practice—because the solution isn't theoretical. It's operational.
What the Reset Actually Looks Like
1. Kill the Campaign Model
Awareness "months" and mass email blasts generate noise, not insight.
Stop measuring: Messages sent, training sessions completed, posters distributed (one of my friends in the industry calls these "Vanity Metrics" and I think that is a very kind way of putting it)
Start measuring: Messages remembered, guidance understood, behaviors changed
Example: Instead of a 12-month calendar of generic reminders, deliver contextual guidance at the exact moment of risk—a quick, plain-language prompt inside the tool the person is already using.
A pop-up in the expense tool that says: "This file type can hide macros—uploading it could expose client data. Use the secure file transfer link instead."
No broadcast email. No training session. Just precision timing with concrete guidance.
2. Replace Training with Co-Creation
People don't internalize rules they didn't help write.
The approach: Host short rewrite sessions where employees translate security guidance into their own terms. If they can't translate it, the guidance isn't clear enough.
Example: The finance team rewrites the password policy in plain business language. They debate what "strong password" actually means. They decide on specifics. They own it—and therefore they follow it.
This isn't dumbing down security. It's ensuring our guidance is actually absorbed rather than ignored.
3. Shift from Fear to Mastery
Fear spikes attention briefly, then kills it permanently. Confidence sustains behavior long-term.
Transform: "Don't click suspicious links" → "Here's how to spot and stop a suspicious link—and why it matters for protecting client data"
Example: A leaderboard that highlights "reported-and-stopped" events instead of "phishing failures."
Engagement rises because people see themselves as defenders who are getting better, not as potential weak links who keep failing tests.
4. Cut 80 Percent of the Noise
Audit every communication channel. Eliminate duplicates, jargon, and anything that doesn't drive a measurable action.
Attention is a finite asset—treat it like budget.
The question to ask: If we reduced our security communications by 80%, which 20% would we keep?
Those are probably the only ones that were breaking through anyway. The rest was contributing to overload.
5. Build an Influence Operations Function
This is my favorite reommendation and one that I am going to explore and outline in greater detail. I've surfaced this with many leaders in the Cyber/InfoSec world and there is definitely an increasing understanding and appreciation for this subject matter on the InfoSec Team.
Here's the strategic shift: awareness should no longer live in HR or compliance. It should sit beside threat intelligence and incident response as a core security control.
Think of it as security engineering for the human layer:
- They measure baseline fatigue levels in different audiences
- They A/B test message approaches before wide deployment
- They track persuasive outcomes (not just completion rates)
- They systematically reduce noise while increasing signal
- They apply the same rigor to communication design that we apply to network architecture
This isn't a nice-to-have. In an environment where our influence determines whether critical controls get implemented and funded, systematic influence operations are as essential as our SOC.
This Cybersecurity Awareness Week, Ask One Question
If our awareness plan for this year looks like last year's, we should stop. Take a breath.
The research couldn't be clearer. More volume doesn't equal more influence. It equals more fatigue.
The fix isn't louder campaigns. It's a smaller, smarter, evidence-based system that earns attention rather than demands it.
And for security leaders specifically—those of us presenting to executive leadership, requesting budgets, trying to get senior management buy-in—this research explains why approaches that worked for fifteen years are suddenly failing.
The good news? The solution exists. The research provides it. And over the next week, I'll show you exactly how to apply it.
Because the world won't wait for us to catch up.
About This Series: This is Part 1 of a 5-part series examining new research on InfoSec advice persuasiveness and its implications for security leadership. Each article provides actionable frameworks based on academic research combined with practical experience from Fortune 1 security leadership.
Subscribe to my newsletter for the deep-dive analysis, exclusive tools, case studies, and the complete Pre-Communication Checklist that won't appear anywhere else.