Why Smart Employees Still Ignore IT Policies (And What to Do About It)

Shola Hassan
Dec 1
4 min read

wo office workers sit in front of a computer flooded with security warning pop-ups. They look stressed and overwhelmed, representing employee security fatigue and the struggle to follow IT policies. — When security controls create friction and fatigue, even well-meaning employees start looking for workarounds.

Most organizations assume that if they publish an IT policy and run annual training, employees will follow the rules.

Reality: they don’t.

Industry surveys show a large majority of employees admit to bypassing security policies at least once a year.Many incidents are linked to people “working around” security controls to get their job done faster.

So the issue isn’t just awareness. It’s the gap between how work is designed on paper and how work actually happens day to day.

It’s not that employees don’t care

We like the simple story: “employees are careless.”But research paints a different picture:

People often break rules to help a colleague, solve a problem, or meet a deadline, not to cause harm.
When policies feel unrealistic, employees invent their own “shadow security” – unofficial ways of protecting data that fit their workflow better than the official rules.

So instead of “bad employees vs good policies,” it’s usually good people stuck between business pressure and clunky controls.

Five reasons employees struggle to follow IT policies

1. Policies don’t match real workflows

Controls that slow people down will get bypassed:

Locked-down file sharing → staff use personal email or consumer cloud apps.
Painful VPN setups → people work from less secure networks.

From their perspective, they’re solving a business problem the policy ignored.

2. Security fatigue

Constant prompts, warnings and rules lead to security fatigue – people feel overwhelmed and start ignoring everything, including important alerts.

The more decisions you force on users (“approve / deny / click / confirm”), the more likely they are to default to the easiest option just to move on.

3. Confusing or irrelevant policies

Even when policies exist, they’re often:

Long, legalistic PDFs no one reads.
Generic rules that don’t explain what this team or this role should actually do.

If employees don’t know where the policy is, don’t understand it, or can’t see how it applies to their work, compliance will be patchy at best.

4. Culture and incentives send mixed messages

If all the praise goes to “the person who shipped fastest,” not “the person who did it securely,” the message is clear: speed wins.

When managers quietly ask staff to “just send it to my Gmail” or “skip the form this time,” culture is overriding policy. People follow what leaders do, not what the PDF says.

5. Low perceived personal risk

For many staff, security incidents feel abstract: “IT will handle it.”

Employees are more likely to care when they see the human impact:

a real customer harmed,
a lost deal,
a reputational hit that affects their own work.

If security is always framed as “because the auditors said so,” it won’t feel urgent.

What actually works (beyond more training)

You can’t punish or PowerPoint your way into perfect policy compliance. But you can design security so that the secure way is the easiest way.

1. Make policies usable

Keep them short and task-based (“How we share files with clients”) instead of 30-page documents.
Involve users when designing controls – ask, “How do you really do this today?”
Always explain the “why” in plain language.

2. Reduce friction with better tools and defaults

Use SSO so people have fewer passwords to manage.
Provide simple, approved tools for file sharing and collaboration.
Set secure defaults so users don’t need to make dozens of security decisions every day.

3. Upgrade security awareness

Swap yearly marathons for short, regular, scenario-based learning.
Tailor training for high-risk roles (Finance, HR, Sales).
Use simulations and give immediate, constructive feedback, not just blame.

4. Align culture and incentives

Add basic security behaviours to performance conversations.
Recognise teams who report issues early and suggest better ways of working.
Make sure leaders follow the same rules – no executive exceptions.

5. Treat non-compliance as a signal

Instead of only asking “Who broke the rule?”, also ask:

“What does this tell us about the rule?”
“Is this control unrealistic or confusing?”
“Are our KPIs forcing people to choose between speed and security?”

Every workaround is free user research.

Bottom line

Employees ignoring IT policies isn’t just a people problem — it’s a design problem.

If policies fight against how work actually happens, people will do what they’ve always done: find a way to get the job done.

The organizations that win are the ones that:

design usable policies,
reduce friction with better tools, and
build a culture where secure = normal, not “extra work.”

References

Stanton, B. C., Prettyman, S., Theofanos, M., & Furman, S. (2016). “Security Fatigue.” IEEE Software. National Institute of Standards and Technology.https://www.nist.gov/publications/security-fatigue

National Institute of Standards and Technology. (2016). “‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly.”https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly

Kirlappos, I., Parkin, S., & Sasse, M. A. (2014). “Learning from ‘Shadow Security’: Why Understanding Non-Compliant Behaviors Provides the Basis for Effective Security.” Network and Distributed System Security Symposium (NDSS).

https://www.ndss-symposium.org/wp-content/uploads/2017/09/01_4-paper.pdf

Kaspersky. (2017). “The Human Factor in IT Security: How Employees Are Making Businesses Vulnerable from Within.”

https://www.kaspersky.com/blog/the-human-factor-in-it-security

BizTech Magazine. (2017). “Report: Employees Cause 46% of Cybersecurity Incidents.” (Summary of Kaspersky ‘Human Factor in IT Security’ survey.)https://biztechmagazine.com/article/2017/07/report-employees-cause-46-cybersecurity-incidents

Fortinet. (2024). “2024 Security Awareness and Training Global Research Report.”

https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2024-security-awareness-and-training.pdf

Hornetsecurity. (2024). “Security Awareness Survey: 1 in 4 (25.7%) Organizations Do Not Provide IT Security Awareness Training.”

https://www.hornetsecurity.com/en/blog/security-awareness-survey-2024

Gartner. (2024). “Gartner Survey Shows a Strong Ethical Culture Isn’t Enough to Stop Noncompliance.” Newsroom press release.

https://www.gartner.com/en/newsroom/press-releases/2024-04-17-gartner-survey-shows-a-stong-ethical-culture-isnt-enough-to-stop-noncompliance

Posey, C., & Shoss, M. (study summarized). “Why Employees Violate Cybersecurity Policies.”

Summarized in Advisory Board: “Why Do Employees Break Cybersecurity Rules? There’s a ‘Dark Side’ to Helping.”

https://www.advisory.com/daily-briefing/2022/01/25/cybersecurity

Office of the Privacy Commissioner of Canada (OPC). (2024). “2023–24 Survey of Canadian Businesses on Privacy-Related Issues.”

https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2024/por_2023-24_bus