I hear you ask, “Stuart, What is reader fatigue?” Well, my friend, it is the apathy people feel when they have to read verbose documents for a reason they do not care about.

Let’s break that down a little:

Apathy

Behaviour that shows no interest or energy and shows that someone is unwilling to take action, especially over something important.

Cambridge Dictionary

Privacy Notice

Let’s look at this from the perspective of a Privacy Notice. Have you signed up for a new service like Disney+, Prime Video, or Netflix? Before you can watch anything, you are met with a Privacy Notice to read.

You know that privacy is important. It’s such an important issue that you started a career trying to protect other people’s privacy.

Did you read every line?

You did read it all…. didn’t you?

Be honest now…

You skipped it… didn’t you?

That, my friend, is “Reader fatigue.”

Reader Fatigue in Security

On average, one-third of people asked to read a security policy will click to indicate they have read a 10+ page Information Security Policy in less than 60 seconds. I have seen the data with my own eyes.

When people don’t care to even read the policies, you get data like this from Gartner.

Reader fatigue is potentially harmful to your organisation. If we recall the four drivers from the “How to Choose a Standard” edition:

1. Legal or regulatory obligation

2. Customer requirement

3. Consistency of Operational Security Configurations

4. Continuity of value generation

Numbers three and four directly relate to the security posture of the organisation. Suppose people ignore the rules and set operational security configurations to suit their needs. In that case, there is a significant opportunity for a malicious person to exploit the shadow configurations and impede business operations.

Preventing Reader Fatigue

So, how do we prevent reader fatigue? In a nutshell… it’s not easy. It’s going to take significant organisational change and support from executive management. Here are some options you can look at:

• Global email from the CISO explaining why staff need to read policies

• Improve your writing in the security policies and procedures

• Reduce the length and include only relevant information

• Reduce the authoritarian language (Stop SHOUTING)

• Write to the rule followers, not the rule breakers

• Communicate policies using new methods

• Explainer videos and policy cheat sheets

• Write with respect and remove emotion

• Reduce the number of documents

• Reduce the notifications

• Reduce the frequency

You can try and do these yourself. Please do! I would love to see how you get on. Could you write about it and tell everyone what you learned?

Or…. you could speak to the employee of the month at PolicyWizard 🙂. Someone who’s done this for real at an enterprise-level global software company.

If you’re seeing multiple staff leaking data or violating security policies, it might be worth looking into your security policies and trying to make improvements that reduce reader fatigue.

If you would like to work with me on reducing reader fatigue at your organisation, DM me on LinkedIn or book a Discovery call. Discovery calls are for business customers engaging in consulting with PolicyWizard. If you want to learn more about security policies, enrol in the course or book a coaching call.

Why do we break the rules?

I’ve recently learned about a study carried out in the 1950s on the topic of delinquency. It talks about how people tell themselves that rule-breaking is okay, depending on the justification. It’s called Neutralization. I’ll be digging into the subject more and covering it in a future edition.

That’s it for this week; thanks for reading till the end! I hope you found this edition valuable. If you’re writing policies, it’s always good to consider how our policies and procedures affect our readers and remove objections where possible.

Until the next adventure,

Stuart Wedge,

PolicyWizard 🧙‍♂️

Share The Fellowship