Cybersecurity is often framed as a technical problem but new research suggests that the real challenge lies in human behavior. In their article Who cares if we get hacked? The development and testing of a measure of information security apathy, Alan R. Dennis, Sanjay Goel, Jenny Huang and Kevin J. Williams introduce and validate a construct that may reshape how organizations approach cyber risks: information security apathy. This concept refers to a persistent lack of interest in information security, making it more trait like than a simple lack of motivation.
The authors argue that apathy plays a more significant role than knowledge in determining whether employees comply with security policies. While companies have long invested heavily in training and awareness campaigns, compliance rates remain troublingly low. Many breaches occur not because of malicious intent but because employees ignore policies when they interfere with daily work tasks. The studies show that security apathy leads individuals to bypass requirements such as updating software, creating complex passwords or recognizing phishing attempts even when they know better.
Dennis and his coauthors conducted a series of studies to explore this phenomenon. The first phase focused on creating a reliable and valid scale to measure security apathy, confirming that it is distinct from related constructs such as motivation or attitudes toward policies. Importantly, the measure proved stable over time much like personality traits, making it a powerful predictor of behavior across different contexts.
The second and third studies tested the effects of apathy versus knowledge on security decisions. Participants faced realistic scenarios such as whether to click on suspicious email links or delay system updates. The results were striking: security apathy consistently showed medium to large effects on decision quality, whereas knowledge had only small or even no significant impact when job pressures increased. Personality traits like agreeableness, conscientiousness and openness were also found to be negatively correlated with apathy, offering a deeper understanding of why some individuals care less about security.
These findings have major implications for practice. Training alone may not be sufficient if employees remain indifferent. Organizations must identify and address apathy directly, perhaps by redesigning incentives, fostering a stronger sense of responsibility or exploring psychosocial interventions. The authors suggest that treating apathy in ways similar to clinical selective apathy by uncovering root causes such as frustration, overload or lack of recognition could be more effective than repeating generic training.
Ultimately this research highlights an uncomfortable truth: even the most advanced defenses can fail if employees simply do not care. By recognizing apathy as a measurable and stable factor companies gain a new diagnostic tool to identify high risk groups and tailor interventions. As the authors conclude, understanding and mitigating information security apathy is key to closing the persistent gap between security knowledge and security behavior.
The article Who cares if we get hacked? The development and testing of a measure of information security apathy by Dennis, Goel, Huang and Williams was published in Information & Management and is available online here.