- › Every decision has a cost. After a long run of them, the mind starts defaulting to the easy answer, and in security the easy answer is usually the insecure one: approve, dismiss, allow.
- › The science is real but debated. Treat decision fatigue as a documented tendency, not an iron law. The pattern is familiar to anyone who has worked a long shift.
- › Security runs on judgment calls all day: access requests, alerts, exceptions, verifications. By late afternoon the effortful choice loses to the effortless one.
- › Attackers know this. Social engineering lands hardest at the end of the day, on a Friday, or mid-incident, when the person deciding is already spent.
- › You cannot will your way out of it. You design around it: cut the low-value decisions, protect the high-stakes ones, and make the safe choice the default.
It is 4:45 on a Friday. Your systems administrator has approved forty access requests today, cleared a hundred alerts, and answered three “quick questions” that each took twenty minutes. Then request forty-one arrives, marked urgent, from a name they half-recognize. At nine in the morning they would have paused, checked, and asked a question. At 4:45 on a Friday they click approve, because approving is easy and scrutiny is work, and they are out of work for the day.
Nothing about that administrator is careless. They are experiencing decision fatigue, one of the most predictable patterns in human psychology, and it is quietly shaping security outcomes in every organization that runs on human judgment. Which is all of them.
Every Decision Spends Something
The idea behind decision fatigue is simple. Making decisions draws on a limited resource, and as that resource runs down over a day, the quality of the decisions runs down with it. The mind stops doing the effortful work of weighing options and starts reaching for the path of least resistance. It favors the default. It says yes to avoid the work of saying no.
The most famous illustration comes from a study of an Israeli parole board, where favorable rulings fell from roughly 65% at the start of a session toward almost zero by the end, then recovered after the judges took a food break (Danziger et al., 2011). It is a striking result, and it is also contested. Later researchers argued that how the cases were ordered explained much of the swing, and the size of the effect is still debated in the literature.
Set the exact number aside. You do not need a perfect study to know this one is real, because you have lived it. Anyone who has worked a double shift, closed out a long incident, or spent a day in back-to-back meetings knows the feeling of their own judgment thinning out. The pattern shows up in other high-stakes fields too. Doctors prescribe unnecessary antibiotics more often late in a clinic session than early in it, on the order of a few percentage points more by the end of the day (Linder et al., 2014). The science argues about the mechanism and the magnitude. The lived reality is not in question.
Security Is a Decision-Fatigue Machine
Now look at what a security professional actually does all day. They approve or deny access requests. They triage alerts, most of them noise, a few of them real. They grant exceptions to policy. They verify identities. They decide whether that email, that call, that request is legitimate. Security is not one big decision made once. It is a thousand small judgment calls made under time pressure, one after another, all day long.
That is the exact condition under which decision fatigue does its damage. And here is the part that matters most. When a depleted mind reaches for the easy answer, the easy answer in security is almost always the insecure one. Approving is easier than investigating. Clicking “allow” is easier than reading the request. Dismissing the alert is easier than chasing it down. Granting the exception is easier than defending the policy. The tired brain does not drift toward caution. It drifts toward whatever ends the decision fastest, and ending it fastest usually means letting something through.
So the security team’s judgment is best at nine in the morning and worst at the end of a hard day. The trouble is that the threats do not politely cluster around nine in the morning.
Attackers Attack the Tired
An intelligent adversary does not send the fraudulent wire request at a random moment. They send it late in the day, or on a Friday afternoon, or in the middle of an active incident when everyone is already stretched to the edge. Timing is part of the attack.
This is why urgency is the social engineer’s favorite tool. The psychology of CEO fraud runs on it. A manufactured emergency does two things at once. It pressures you to act fast, and it stacks one more heavy decision onto a mind that has already made too many. The attacker is doing more than exploiting your trust. They are exploiting your fatigue, and they pick the moment when you have the least of yourself left to bring to the problem.
The same logic applies to your defenders during a crisis. Three hours into an incident, the responder making the containment call is running on fumes, and that is precisely when the biggest, least reversible decisions get made. The people we most need to be sharp are usually the most depleted by the time it counts.
You Cannot Will Your Way Out of It
Here is the mistake most organizations make. They treat this as a discipline problem. Tell people to be more careful. Send them to another awareness training. Remind them to stay vigilant. None of that works, because you cannot lecture a tired brain into being a rested one. Willpower is not the missing ingredient. The load is the problem, and you fix a load problem by changing the load, not by asking people to carry it better.
That is a design job, and there are five moves that actually help.
Cut the decision volume. Every trivial decision you remove from a person’s day is one more good decision they have left for what matters. Automate the low-stakes, high-volume calls. Pre-decide the routine ones with clear policy so nobody has to relitigate them at 4:45. Judgment is a resource, and you should spend it on the things that need judgment.
Protect the high-stakes decisions. The big, irreversible calls, major access grants, incident containment, large transfers, should not be made by one depleted person at the end of a long day if you can avoid it. Schedule them when people are fresh. Build in a mandatory pause before anything irreversible. A short delay is cheap. An unrecoverable decision is not.
Put a second set of eyes on what counts. Decision fatigue hits individuals hardest, so do not route your most important calls through a single tired brain. Two-person verification on the decisions that can hurt you most is not bureaucracy. It is the recognition that one person at hour ten is not the same asset they were at hour one.
Build in recovery. The parole judges got their judgment back after a break. Breaks are not slack in the schedule. They are decision-quality maintenance. A team that never stops is a team whose decisions are quietly degrading all day, and the chronic version of this problem is burnout, which turns your most alert people into your most exploitable ones.
Make the safe choice the default. Since tired people take the path of least resistance, engineer the path of least resistance to be the secure one. Deny by default and require a justification to open access, so the effortless click is the safe click. When fatigue pushes someone toward the default, the default should be catching them, not selling them out.
The Human Is Part of the System
Decision fatigue is one more reason the person making the call belongs in your threat model, not outside it. You already model your network’s capacity and your systems’ limits. The operator has limits too, and they are just as real and just as predictable. A defense that assumes a well-rested, fully attentive human at every decision point is defending a system that does not exist.
We treat that operator, and the culture and biology around them, as the third layer of a real defense. It is the core of cognitive security and the human side of behavioral security, and it is the layer most organizations still leave undefended while they pour money into the other two.
You will never eliminate decision fatigue. It is a feature of the hardware. What you can do is stop pretending it is not there, and build a security program that expects a tired human and protects them anyway.
Want to see how much of your risk is riding on a depleted decision-maker? Measure it with our free Human Attack Surface Score, or contact Grab The Axe to build human factors into your defense.
A PhD candidate in Health Psychology and former Corrections Officer, Jeff founded GTA to dismantle passive security models. He focuses on the 'Human Zero-Day', mitigating executive burnout and decision fatigue before they become security breaches.
View Author Page →