Nearly half of cybersecurity professionals surveyed in a recent academic study said they have considered leaving the field, citing relentless workloads, chronic understaffing, and the psychological toll of defending against threats that never stop evolving. The findings, published as a preprint on arXiv, put hard numbers behind a problem that security leaders have described in hallway conversations for years but rarely seen quantified outside of vendor-sponsored reports.
The paper lands at a precarious moment. The global cybersecurity workforce gap now exceeds 4 million unfilled positions, according to ISC2’s 2024 Cybersecurity Workforce Study. If the people already in the field start walking away, organizations face a compounding crisis: not just too few defenders, but fewer experienced ones willing to stay.
What the survey actually found
The study, titled “A Survey-Based Quantitative Analysis of Stress Factors and Their Impacts Among Cybersecurity Professionals,” collected responses from working practitioners and applied statistical modeling to identify which pressures correlate most strongly with burnout and intent to quit. The top stress drivers included excessive workload, the constant pace of emerging threats, insufficient organizational support, and staffing levels that force small teams to cover sprawling attack surfaces.
Among the most striking results: roughly half of respondents reported that they had seriously considered leaving cybersecurity altogether. That figure aligns with broader patterns documented in ISC2’s workforce research, which found in 2024 that 67% of security teams reported staffing shortages and that morale had declined year over year.
The study’s sample size is modest. The preprint does not prominently disclose the exact number of respondents, and the original article reporting on the research does not specify it either. That omission makes it harder for readers to judge how much weight to place on the percentages. What can be said is that the authors themselves acknowledge the sample is not large enough to serve as a definitive census of the global workforce. Readers should treat specific figures with appropriate caution until larger-scale studies replicate the findings.
Why this study matters beyond the numbers
Most existing data on cybersecurity burnout comes from vendor-sponsored surveys, which tend to frame workforce problems as solvable through product purchases, typically automation tools or managed services. The arXiv preprint carries no commercial agenda. It sits on an open-access platform operated by Cornell University and supported by a coalition of member institutions spanning universities and research libraries worldwide. That independence makes it a cleaner reference point for employers and policymakers trying to separate signal from sales pitch.
The paper’s methodology also offers something replicable. By designing a structured survey instrument tied to validated stress metrics, the researchers created a framework that larger studies can adopt. Even if the current sample cannot represent every corner of the profession, from entry-level SOC analysts at regional firms to senior architects at multinational banks, the model itself is a contribution. Future research with broader samples can build on it.
The gaps that remain
Important questions sit outside the study’s scope. The survey captures intent to quit, not actual attrition. Saying “I want to leave” and submitting a resignation letter are different decisions separated by financial realities, career inertia, and sometimes a single good week at work. Without longitudinal follow-up tracking whether respondents actually left, the gap between intention and action remains unmeasured.
The paper also does not compare cybersecurity burnout rates against other high-stress professions. Emergency medicine, law enforcement, and air traffic control all face similar dynamics of constant vigilance and high consequences for mistakes. Context about how cybersecurity stacks up against those fields would help organizations calibrate their response. Is cybersecurity burnout unusually severe, or is it consistent with what any always-on profession experiences? The data to answer that question does not yet exist in a single comparative study.
Government agencies have begun acknowledging the retention side of the workforce problem, though their focus has historically been on headcount. The Cybersecurity and Infrastructure Security Agency (CISA) has published workforce development strategies that touch on retention, but detailed federal data on why practitioners leave remains sparse. The arXiv preprint is one of the few independent, non-commercial sources attempting to quantify the emotional toll, which makes it valuable but also means the evidence base is still thin.
Direct, on-the-record statements from individual cybersecurity professionals describing their personal experiences with burnout are absent from both the preprint and the available reporting around it. The paper aggregates survey responses into statistical findings, which is standard for quantitative research. But without named practitioners willing to speak publicly about what daily burnout looks and feels like, the human dimension of the crisis remains underrepresented. Aggregated data tells us that a problem exists at scale; individual accounts would help explain why it persists despite years of industry awareness. As of May 2026, no named practitioner quotes tied to this specific study have surfaced in public reporting.
What organizations can do before the next budget cycle
Security leaders do not need to wait for a definitive, large-scale study to act on what this research suggests. The stress factors the paper identifies, workload, understaffing, lack of support, are not mysteries. They are operational decisions that organizations make, or fail to make, every budget cycle.
Concrete steps start with staffing models that reflect actual threat volume rather than last year’s headcount. On-call rotations need to be sustainable, not built on the assumption that analysts will absorb unlimited after-hours alerts. Mental health resources should go beyond a line item in an employee handbook; some organizations have begun offering cybersecurity-specific counseling that accounts for the unique pressures of incident response and threat hunting.
The cybersecurity talent shortage has been a recurring theme in industry discussions for over a decade. What this preprint adds is a structured, data-driven lens on the emotional and psychological dimensions of that shortage. The people who protect networks and data are not just scarce. They are exhausted. And when exhaustion tips into resignation, the cost falls on every organization and user that depends on their work. The evidence as of spring 2026 is preliminary, but its direction is clear enough to demand action rather than another cycle of acknowledging the problem and doing nothing about it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
