DeReact, DeFatigue and Deceive: Psychology for Better Cybersecurity Design

Episode Notes:

• Dr. Reeves’ Background – Trained as a psychologist, his interest in cybersecurity emerged from a talk connecting human error to security breaches.
• Cybersecurity Fatigue Defined – A form of disengagement where employees lose motivation to follow security practices due to overload and conflicting advice.
• Not Just Apathy – Fatigue often affects people who initially cared about cybersecurity but were worn down by excessive or ineffective interventions.
• Training Shortcomings – Lecture-style, one-way training is frequently perceived as boring, irrelevant, or contradictory to users' experiences.
• Compliance vs. Effectiveness – Many organizations implement security training to meet legal requirements, even if it fails to change behavior.
• Reactance in Security – Users may intentionally ignore advice or rules to assert control, especially when training feels micromanaging or patronizing.
• Better Through Design – Reeves argues that secure systems should reduce the need for user decisions by simplifying or removing risky options altogether.
• Remove Rather Than Train – Limiting administrative rights is often more effective than trying to educate users out of risky behaviors.
• Mismatch With Reality – Generic training that conflicts with real policies or system restrictions can confuse or alienate users.
• Cognitive Load and Decision-Making – Under stress or fatigue, users rely on mental shortcuts (heuristics), which attackers exploit.
• Personal Example of Being Fooled – Reeves recounts nearly falling for a scam due to time pressure, illustrating how stress weakens judgment.
• Cybersecurity Buddy System – Recommends encouraging users to consult peers when making sensitive decisions, especially under pressure.
• Cyber Deception Strategies – Reeves now researches ways to mislead and trap attackers inside systems using decoys and tripwires.
• Applying Psychology to Attackers – The same behavioral models used to study users can help predict and manipulate attacker behavior.
• Empowering Defenders – Deception technologies can help security teams regain a sense of agency, shifting from reactive defense to proactive engagemen

About our guest:

Dr. Andrew Reeves

• https://www.linkedin.com/in/andrewreevescyber/
• https://research.unsw.edu.au/people/dr-andrew-reeves
• https://www.unsw.edu.au/research/ifcyber

Papers or resources mentioned in this episode:

Reeves, A., Delfabbro, P., & Calic, D. (2021). Encouraging employee engagement with cybersecurity: How to tackle cyber fatigue. SAGE Open, 11(1).

https://doi.org/10.1177/21582440211000049

Reeves, A., Calic, D., & Delfabbro, P. (2023). Generic and unusable: Understanding employee perceptions of cybersecurity training and measuring advice fatigue. Computers & Security, 128, 103137.

https://doi.org/10.1016/j.cose.2023.103137

Reeves, A., & Ashenden, D. (2023). Understanding decision making in security operations centres: Building the case for cyber deception technology. Frontiers in Psychology, 14, 1165705.

https://doi.org/10.3389/fpsyg.2023.1165705

Other:

UNSW Institute for Cyber Security (IFCYBER)

https://www.unsw.edu.au/research/ifcyber