Why employees take shortcuts around secure workflows

Employees take shortcuts around secure workflows when the secure option adds friction at the exact moment they are trying to keep work moving.

A payment is waiting for approval. Messages keep coming in. The next task cannot move until this one does. Then a security step appears that adds friction at exactly the wrong moment. Employees often bypass secure workflows at that point. Not because they do not know better, but because the secure route feels harder to follow in the middle of real work.In the Adaptive Defense Playbook survey, 38% of security leaders say the security guidance employees receive is too generic for the way work actually gets done. 34% say employees are more likely to leave secure processes behind when the easier option is quicker. 30% say workload and time pressure make secure behaviour harder to maintain throughout the day.

TL;DR

This article looks at why employees drift away from secure workflows, where generic security guidance loses value, and what organisations can do to make the secure route easier to follow in practice.

Security is competing with employees’ mental bandwidth

Cognitive overload makes shortcuts more likely.

A 2024 workload and phishing susceptibility experiment found that people under high workload spent half as much time reading emails and were more likely to click phishing messages when those messages looked relevant to the task in front of them. It shows  that judgement starts to slip when attention is stretched and the request looks like part of the job.

Another study found that time pressure weakened the effect of security knowledge on compliance, while decision-making autonomy strengthened security participation. Employees may know the secure step and still skip it when work feels rushed.That pressure is not easing. In Microsoft’s 2024 Work Trend Index, 68% of people said they struggle with the pace and volume of work, and 46% said they feel burned out. In a busier, AI-shaped working day, the secure route can lose out simply because it feels slower at the point of decision.

See how security leaders are benchmarking behavioural friction, adaptation speed, and human-risk exposure in practice.

Check out the Adaptive Defence Playbook

Why generic security guidance breaks down in real workflows

Generic guidance sounds fine until someone has to apply it. Advice such as “be careful” or “follow the policy” rarely helps when a real decision lands in front of an employee. It does not tell a finance team how to check a supplier bank-change request or a recruiter how to handle a candidate file sent through an unfamiliar link. 

That is where broad security advice starts to lose value. It names the rule, but not the action. Employees still have to fill in the gap themselves. Effective guidance does more than point to policy. It shows what the secure step looks like in a specific role, task, or workflow.

That is also where a cybersecurity awareness training programme needs to become more practical, and where role-based e-learning in cybersecurity becomes more useful than one-size-fits-all reminders. A 2025 meta-analysis on the effect of cybersecurity training on end-users found that training tends to improve knowledge and attitudes more than observed behaviour. That is a useful warning against treating completion as proof of change. The stronger approach is to give people guidance they can recognise, actions they can use, and examples that match the work they actually do.

What better, lower-friction security intervention looks like

Security leaders usually see the same pattern when employees bypass secure workflows: the workflow asks them to slow down, interpret too much, or fill in the gaps for themselves.

Once those weak points are visible, the intervention becomes much more practical.

1. Put the secure step where the decision happens

If employees need to verify a supplier change, escalate a suspicious request, or check a document, the next step should be easy to find in the workflow itself. The more people have to stop, search, or interpret policy language for themselves, the more likely they are to move on without it.

When policy itself is part of the problem, SoSafe’s Policy to Lesson can turn a long policy document into a short interactive lesson, and Learn Anywhere makes that reinforcement easier to deliver across devices and languages.

2. Use reported attacks to keep security training current

Security teams use SoSafe Threat Inbox to review and classify reported emails, inspect links, attachments, and headers safely, and send feedback back to the employee who reported them. That helps while the context is still fresh. 

Confirmed malicious emails can then be turned into safe simulation templates. With Recreate Attack teams turn screenshots of real phishing emails into editable simulations in minutes. The benefit is less manual rebuilding, faster follow-up, and practice that stays closer to what employees are actually seeing.

3. Train your employees’ judgement and measure the improvement

Personalised phishing simulations let employees practise role- and channel-specific decisions instead of generic red-flag spotting.

 A study found that 5 weeks of practice and feedback improved reporting for up to 12 months compared with awareness-based training alone. Human Risk OS™ then helps teams see whether reporting, questioning, and escalation are improving in practice, so they can fix the workflow instead of sending another broad reminder.