Cybercrimeology

DeReact, DeFatigue and Deceive: Psychology for Better Cybersecurity Design

Episode Summary

What happens when people get tired of cybersecurity? Dr. Andrew Reeves from the UNSW Institute for Cyber Security joins us to explore how psychological principles—like fatigue, reactance, and decision-making under pressure—shape both how users engage with cybersecurity and how attackers and defenders can exploit them. We talk about what goes wrong with security training, why users push back against well-meaning policies, and how simple design choices can reduce cognitive load and increase compliance. Dr. Reeves also shares his work on cyber deception and how defenders can turn the tables, using stress, uncertainty, and time pressure to mislead attackers inside networks. This episode weaves together user behavior, system design, and attacker psychology into a broader conversation about how we shape—and are shaped by—the security systems we live with.

Episode Notes

Episode Notes:

• Dr. Reeves’ Background – Trained as a psychologist, his interest in cybersecurity emerged from a talk connecting human error to security breaches.
• Cybersecurity Fatigue Defined – A form of disengagement where employees lose motivation to follow security practices due to overload and conflicting advice.
• Not Just Apathy – Fatigue often affects people who initially cared about cybersecurity but were worn down by excessive or ineffective interventions.
• Training Shortcomings – Lecture-style, one-way training is frequently perceived as boring, irrelevant, or contradictory to users' experiences.
• Compliance vs. Effectiveness – Many organizations implement security training to meet legal requirements, even if it fails to change behavior.
• Reactance in Security – Users may intentionally ignore advice or rules to assert control, especially when training feels micromanaging or patronizing.
• Better Through Design – Reeves argues that secure systems should reduce the need for user decisions by simplifying or removing risky options altogether.
• Remove Rather Than Train – Limiting administrative rights is often more effective than trying to educate users out of risky behaviors.
• Mismatch With Reality – Generic training that conflicts with real policies or system restrictions can confuse or alienate users.
• Cognitive Load and Decision-Making – Under stress or fatigue, users rely on mental shortcuts (heuristics), which attackers exploit.
• Personal Example of Being Fooled – Reeves recounts nearly falling for a scam due to time pressure, illustrating how stress weakens judgment.
• Cybersecurity Buddy System – Recommends encouraging users to consult peers when making sensitive decisions, especially under pressure.
• Cyber Deception Strategies – Reeves now researches ways to mislead and trap attackers inside systems using decoys and tripwires.
• Applying Psychology to Attackers – The same behavioral models used to study users can help predict and manipulate attacker behavior.
• Empowering Defenders – Deception technologies can help security teams regain a sense of agency, shifting from reactive defense to proactive engagemen

About our guest:

Dr. Andrew Reeves

• https://www.linkedin.com/in/andrewreevescyber/
• https://research.unsw.edu.au/people/dr-andrew-reeves
• https://www.unsw.edu.au/research/ifcyber

Papers or resources mentioned in this episode:

Reeves, A., Delfabbro, P., & Calic, D. (2021). Encouraging employee engagement with cybersecurity: How to tackle cyber fatigue. SAGE Open, 11(1).

https://doi.org/10.1177/21582440211000049

Reeves, A., Calic, D., & Delfabbro, P. (2023). Generic and unusable: Understanding employee perceptions of cybersecurity training and measuring advice fatigue. Computers & Security, 128, 103137.

https://doi.org/10.1016/j.cose.2023.103137

Reeves, A., & Ashenden, D. (2023). Understanding decision making in security operations centres: Building the case for cyber deception technology. Frontiers in Psychology, 14, 1165705.

https://doi.org/10.3389/fpsyg.2023.1165705

Other:

UNSW Institute for Cyber Security (IFCYBER)

https://www.unsw.edu.au/research/ifcyber