Security tasks can burden the individual, to the extent that security fatigue promotes habits that undermine security. Here we revisit a series of user-centred studies which focus on security mechanisms as part of regular routines, such as two-factor authentication. By examining routine security behaviours, these studies expose perceived contributors and consequences of security fatigue, and the strategies that a person may adopt when feeling overburdened by security. Behaviours and strategies are framed according to a model of cognitive control modes, to explore the role of human performance and error in producing security fatigue. Security tasks are then considered in terms of modes such as unconscious routines and knowledge-based ad-hoc approaches. Conscious attention can support adaptation to novel security situations, but is error-prone and tiring; both simple security routines and technology-driven automation can minimise effort, but may miss cues from the environment that a nuanced response is required
