AJC’s SWIFT CSP 2025 Season: A...
As another SWIFT Customer Security Programme (CSP) season draws to a close, AJC reflects on a dynamic and successful year...
Read More
Organisations continue to invest heavily in cyber security technology, training and compliance frameworks. Firewalls, multi-factor authentication and 24/7 monitoring have become baseline requirements across many sectors. Yet even with these technical defences in place, vulnerabilities persist. A growing contributor is cyber security fatigue, a condition in which employees and security teams become overwhelmed by the volume of alerts, warnings and security obligations they face each day. Over time, this erodes vigilance, weakens decision-making and increases the likelihood of security incidents.
For security professionals, fatigue often stems from alert overload. Modern security tools generate vast numbers of notifications every day. Many of these are false positives or low-priority items, yet they still require attention. Research shows that a majority of UK security operations teams spend excessive time dealing with unnecessary cyber security alerts, with over half reporting that this contributes to stress and workload strain. In many organisations, the vast majority of alerts are considered non-actionable, yet they continue to distract teams from addressing genuine threats.
These pressures extend well beyond dashboards and metrics. A 2023 survey found that more than 90 per cent of cyber security professionals had cancelled, delayed or interrupted personal commitments due to work-related alerts, with over a third saying this happens regularly. Many also report symptoms of burnout and chronic stress driven by relentless alert volumes and insufficient capacity to respond sustainably.
For the wider workforce, fatigue manifests differently. Numerous studies link stress and cognitive overload to increased human error in cyber security practices. Employees under pressure are more likely to overlook important warnings, bypass recommended security behaviours or make mistakes, such as mishandling sensitive information or interacting with suspicious emails. Research into workplace error consistently highlights fatigue as a contributing factor to incidents that can lead to data breaches or system compromise.
Cyber security fatigue is not simply a wellbeing or HR issue. It has direct implications for organisational resilience and risk management. Human error remains a leading factor in security breaches, particularly in phishing and social engineering attacks, which continue to account for a significant proportion of successful compromises. When staff are mentally overloaded, even well-designed technical controls can be undermined. Important warnings may be missed or incidents reported late, giving attackers more time to exploit vulnerabilities.
For specialist security teams, sustained overload increases the risk of delayed responses to genuine alerts. This can lengthen detection and containment times and significantly increase financial and reputational damage. Over time, fatigue can also erode security culture, reducing the effectiveness of training programmes and weakening adherence to policy.
There is also a growing talent risk. The UK cyber security sector already faces a well-documented skills shortage, and burnout is prompting experienced professionals to reassess their roles. Surveys of UK cyber security practitioners consistently show high levels of stress linked to alert overload, raising concerns about long-term retention and operational resilience.
Regulatory expectations further heighten the challenge. UK data protection, operational resilience and financial services frameworks increasingly emphasise human-centred risk management, not just technical compliance. A fatigued workforce makes it harder for organisations to demonstrate that policies are being followed and risks are being effectively controlled.
Addressing cyber security fatigue requires a holistic approach that balances human and technical considerations. Reducing noise should be a priority. Security teams can lessen alert fatigue by refining detection rules, consolidating overlapping tools and tuning thresholds to prioritise genuinely critical events. Providing better context and risk-based prioritisation enables analysts to focus on what matters most, reducing wasted effort and cognitive load.
Automation also has an important role to play. Tools that handle routine triage, correlate related alerts or automate low-risk responses can significantly reduce manual workload. This allows security professionals to focus their time and judgement on higher-value investigative work.
For the wider workforce, smarter training and communication are essential. Security guidance that is practical, relevant and aligned to real working scenarios is more effective than frequent generic reminders. Clear, concise messaging helps reinforce good security behaviour without overwhelming employees.
Leadership support underpins all of this. Senior management must recognise that constant alerts and unrealistic workloads undermine effectiveness. Sustainable cyber security strategies include appropriate resourcing, realistic expectations and visible support for staff wellbeing. Encouraging a positive reporting culture, where employees feel comfortable raising concerns or admitting mistakes, also supports earlier detection and reduces risk.
Cyber security fatigue is an emerging and increasingly material challenge for organisations operating in a high-threat environment. Left unaddressed, it weakens technical controls, increases the likelihood of breaches and contributes to the loss of skilled professionals. Treating fatigue as a strategic issue, rather than an operational side effect, is essential to building long-term resilience. By reducing alert overload, improving communication and supporting staff wellbeing, organisations can create stronger, more sustainable defences.
AJC works with organisations to address cyber security fatigue as part of a broader, risk-led approach to security and resilience. We help clients review and rationalise security tooling to reduce alert overload and ensure controls are aligned to real risk rather than compliance alone. Our assessments focus on identifying where noise, duplication or poor prioritisation is placing unnecessary strain on teams.
We also support organisations in strengthening their human-centric security controls. This includes reviewing training programmes, incident reporting processes and governance frameworks to ensure they are practical, proportionate and effective in real-world conditions. By aligning technical controls with people, processes and regulatory expectations, AJC helps organisations build sustainable cyber security programmes that reduce risk without burning out their teams.
Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.
Sources:
https://insight.scmagazineuk.com/alert-fatigue-the-silent-killer-of-security-operations
https://www.paloaltonetworks.co.uk/cyberpedia/how-to-reduce-security-alert-fatigue
https://cybersecuritynews.com/managing-cybersecurity-fatigue/
Image accreditation: Zulfugar Karimov. July 2025. From Unsplash.com. Last accessed on 14th January 2026. Available at: https://unsplash.com/photos/a-security-and-privacy-dashboard-with-its-status–nBClEqKKVM
As another SWIFT Customer Security Programme (CSP) season draws to a close, AJC reflects on a dynamic and successful year...
Read More
January 2026 has shaped up to be a month that reinforces the importance of taking time to ensure personal and...
Read More
Operational resilience has become a central theme in UK risk and regulatory conversations. Boards, regulators and risk teams speak of...
Read More