Information security burnout: Identification of sources and mitigating factors from security demands and resources

Abstract

This study examines how information security burnout can develop from complying with organisational security demands, and whether security burnout can be reduced by engaging organisational and personal resources. The Job Demands-Resources model was extended to the IT security context, to develop and empirically test a security burnout model, using a sample of 443 participants in Vietnam. The results demonstrate that security task overload and difficult access to security requirements increased security burnout while dealing with challenging security requirements reduced burnout. Neither organisational resources nor user self-efficacy were effective in reducing burnout. Moreover, simple security tasks did not guarantee a burnout-free experience for users. The findings emphasise the significance of providing resources and designing security tasks as challenging and rewarding experiences, rather than simply reducing user involvement as a source of decreasing cyber security risks. The research establishes a theoretical basis for further studying the phenomenon of security burnout and its role in user security management.