Title:
When Cybersecurity Assessment Fails to Reduce Risk: Assessment Fatigue and Governance Design

Authors:
Dr. Robb Shawe, Dr. Gilbert B. Mengnjo, USA

Abstract:

Cybersecurity assessments have become a routine feature of risk management in critical infrastructure organizations. Maturity models, compliance audits, and structured evaluations are widely used to demonstrate due diligence and inform decision-making. Despite this extensive assessment activity, many organizations continue to experience significant cyber incidents, raising questions about the effectiveness of assessment-driven security strategies. This qualitative, conceptual analysis examines the phenomenon of assessment fatigue and explores the governance conditions under which cybersecurity assessment fails to produce meaningful risk reduction. Rather than attributing failure to assessment quality or frequency alone, the article argues that governance design determines whether assessment findings translate into action. Drawing on perspectives on governance effectiveness, symbolic compliance, and organizational learning, the study explains how assessment can become performative rather than corrective. The article concludes by identifying governance conditions under which assessment activity contributes to absolute risk reduction and organizational resilience.

DOI: http://dx.doi.org/10.51505/ijaemr.2026.11210