Insights

Exploring IT security alarm fatigue

Chris Good

Date:

March 2025

Download Paper

key fact

 A significant percentage of IT security breaches are caused by human error - various studies estimate this figure to be 80-90%.

A significant percentage of IT security breaches are caused by human error – various studies estimate this figure to be 80-90%.

Here’s a breakdown of how human error plays a role:

  • Phishing & Social Engineering Attacks – 74% of breaches involve a human element (Verizon 2023 Data Breach Investigations Report).
  • Weak or Compromised Passwords – Around 81% of hacking-related breaches stem from poor password practices.
  • Misconfigurations & Poor Security Practices – Issues like misconfigured cloud storage, poor access control, and outdated software create vulnerabilities.
  • Insider Threats – Whether intentional or accidental, employees can expose organisations to cyber risks.

Given these risks, organisations are continuously implementing measures to reduce the probability of human errors. Common approaches include:

Regular security awareness training

Multi-factor authentication (MFA)

Strong password policies and password managers

Automated security checks and alerts

The risk of following the crowd

However, every security measure should be justified with a clear business case, not only for its initial implementation but also for its ongoing effectiveness. Organisations must consider the costs, benefits, implications, and confidence in delivery rather than blindly adopting security controls because “everyone else does.”

A prime example? Email warning banners on external messages.

Benefits of email warning banners:

  • A clear visual cue reminding recipients to be cautious.
  • May be a requirement for security insurance compliance.

The downsides of overuse:

Alarm Fatigue & Desensitisation – imagine a physical package being delivered to your door multiple times each day. Each time, the delivery person shouts “THERE MAY BE SOMETHING DANGEROUS IN THERE! BE CAREFUL!”. You may listen for the first few days, but afterwards you’ll likely ignore. It’s similar in the medical environment, or dashboards in vehicles… too generic and frequent and people can switch off to the real threats.

Cluttered Email Chains– When replying to an external email, the banner persists in the thread, making conversations messy and potentially leaving a negative impression.

Reduced Productivity – If your email preview shows the first line of text, the warning banner replaces valuable context, forcing users to open emails unnecessarily therefore impacting productivity.

A smarter approach

Rather than applying blanket warnings to every external email, consider a more targeted approach:

  • Show warnings only for departments that rarely receive external emails.
  • Trigger warnings only on emails with attachments or links.
  • Identify and flag impersonation attempts using advanced email security tools.
  • What do you think? Have you encountered alarm fatigue with security measures in your workplace?

If you would like to Chris regarding this insight, send your enquiry to contact@masonadvisory.com to discuss further.  

If you want to find out more about our services click here.

Our services

View all