Security fatigue is the failure mode nobody puts on the risk register. Singapore’s public sector keeps stacking controls on the same civil servants expected to digitise services faster, and when self-regulation capacity bottoms out the result is not a flagged policy violation but quiet workarounds no audit catches.
The countermeasure the research points to is decision latitude, not over whether to comply but over how. When policy mandates a specific tool, a specific flow, and a specific schedule with no room for adaptation, cognitive cost goes up disproportionately. Letting staff choose their path to the same security outcome reduces the friction that causes workarounds in the first place.
Security fatigue is the failure mode nobody puts on the risk register. Singapore’s public sector keeps stacking controls on the same civil servants expected to digitise services faster, and when self-regulation capacity bottoms out the result is not a flagged policy violation but quiet workarounds no audit catches.
The countermeasure the research points to is decision latitude, not over whether to comply but over how. When policy mandates a specific tool, a specific flow, and a specific schedule with no room for adaptation, cognitive cost goes up disproportionately. Letting staff choose their path to the same security outcome reduces the friction that causes workarounds in the first place.