Episode Notes:
- Dr. Reeves’ Background – Trained as a psychologist, his interest in cybersecurity emerged from a talk connecting human error to security breaches.
- Cybersecurity Fatigue Defined – A form of disengagement where employees lose motivation to follow security practices due to overload and conflicting advice.
- Not Just Apathy – Fatigue often affects people who initially cared about cybersecurity but were worn down by excessive or ineffective interventions.
- Training Shortcomings – Lecture-style, one-way training is frequently perceived as boring, irrelevant, or contradictory to users' experiences.
- Compliance vs. Effectiveness – Many organizations implement security training to meet legal requirements, even if it fails to change behavior.
- Reactance in Security – Users may intentionally ignore advice or rules to assert control, especially when training feels micromanaging or patronizing.
- Better Through Design – Reeves argues that secure systems should reduce the need for user decisions by simplifying or removing risky options altogether.
- Remove Rather Than Train – Limiting administrative rights is often more effective than trying to educate users out of risky behaviors.
- Mismatch With Reality – Generic training that conflicts with real policies or system restrictions can confuse or alienate users.
- Cognitive Load and Decision-Making – Under stress or fatigue, users rely on mental shortcuts (heuristics), which attackers exploit.
- Personal Example of Being Fooled – Reeves recounts nearly falling for a scam due to time pressure, illustrating how stress weakens judgment.
- Cybersecurity Buddy System – Recommends encouraging users to consult peers when making sensitive decisions, especially under pressure.
- Cyber Deception Strategies – Reeves now researches ways to mislead and trap attackers inside systems using decoys and tripwires.
- Applying Psychology to Attackers – The same behavioral models used to study users can help predict and manipulate attacker behavior.
- Empowering Defenders – Deception technologies can help security teams regain a sense of agency, shifting from reactive defense to proactive engagemen
About our guest:
Dr. Andrew Reeves
Papers or resources mentioned in this episode:
Reeves, A., Delfabbro, P., & Calic, D. (2021). Encouraging employee engagement with cybersecurity: How to tackle cyber fatigue. SAGE Open, 11(1).
https://doi.org/10.1177/21582440211000049
Reeves, A., Calic, D., & Delfabbro, P. (2023). Generic and unusable: Understanding employee perceptions of cybersecurity training and measuring advice fatigue. Computers & Security, 128, 103137.
https://doi.org/10.1016/j.cose.2023.103137
Reeves, A., & Ashenden, D. (2023). Understanding decision making in security operations centres: Building the case for cyber deception technology. Frontiers in Psychology, 14, 1165705.
https://doi.org/10.3389/fpsyg.2023.1165705
Other:
UNSW Institute for Cyber Security (IFCYBER)
https://www.unsw.edu.au/research/ifcyber