My guess is that outside of the 'cyber security bubble', the concept of "security fatigue" comes as no surprise. Indeed as someone who is looking out from the bubble, I too can concur with this sentiment. 

In my opinion, whilst huge sums of are being invested in ever more elaborate solutions for the security teams within enterprise IT departments, there is very little evidence that much is changing for the end user/consumer.  

With users so often considered the weakest link remarkably little imagination goes into training solutions. Go to any cyber security trade show and look for innovative approaches to providing security awareness education. Its not really considered sexy which is why most messages are repetitive and the education often dry and/or patronising. Indeed there is a sort of prevailing "how hard can it be?" attitude, whereby we are continuously bombarded with messages about strong passwords, software updates and the need to be vigilant with our email.    

That said, last week I was  speaking with an associate of mine who works for a global enterprise. She explained how they were looking at increasingly innovative ways of driving the message home. For example the use of gamification and other 'millennial'  friendly techniques that capture the imagination rather than force their intended audience to tune out.   

It is to be hoped that the techniques being developed here could become the norm, will  filter down to the rest of us and ultimately help us all establish an unconscious competence when it comes to staying secure. With so many aspects of our lives now governed by what we do online, maybe we will ultimately evolve an innate, sixth sense that will ensure we no longer have to be educated, we just know!