Psychology in cybersecurity

This article is about effect of psychology on cybersecurity. For effect of cybersecurity on psychology, see cyberpsychology.

The psychology of cybersecurity (often intersecting with usable security and cyberpsychology) is an interdisciplinary field studying how human behavior, cognitive biases, and social dynamics influence information security. While traditional cybersecurity focuses on hardware and software vulnerabilities, this discipline addresses the "human factor," which is exploited in cyberattacks.[1][2][3] Psychology in cybersecurity draws from cognitive psychology and human–computer interaction.

History and evolution

The challenge of human behavior in computing was noted as early as the 1960s with multi-user mainframes like the Compatible Time-Sharing System (CTSS). In 1966, a software error on CTSS caused the system's master password file to be displayed to every user upon login—one of the earliest documented security incidents attributable to a combination of system design and human factors.[4]

These behaviors gained broader significance in the 1990s as the Internet became widely accessible. High-profile incidents involving figures like Kevin Mitnick demonstrated how human trust could be exploited through social engineering such as pretexting over the phone.[5]

Cognitive and behavioral factors

Much of the psychology of cybersecurity focuses on decision-making under stress or uncertainty. Researchers apply frameworks like dual process theory to explain why humans fall for phishing or business email compromise. Threat actors design malicious communications to trigger fast, emotional "System 1" thinking—using urgency, authority, or panic, which prompts users to click a link or wire funds before their analytical "System 2" can assess the situation's legitimacy.[6]

Industry research has consistently documented the effectiveness of these techniques at scale,[7][8] pointing to several recurring psychological phenomena that influence daily security practices:

  • Cognitive biases: The optimism bias leads users to believe they are unlikely to be targeted by cybercriminals, resulting in lax password practices or delayed software updates. The availability heuristic causes individuals to focus on highly publicized, sophisticated threats while ignoring common, statistically probable risks like credential reuse.[9]
  • Social influence: Attackers leverage established principles of persuasion, such as those categorized by Robert Cialdini. Impersonating a CEO leverages the psychological trigger of authority, while fake tech support scams use reciprocity (offering to fix a problem before asking for network credentials).[10]

Neurological and pre-cognitive factors

Functional magnetic resonance imaging (fMRI) studies show that neural activation in visual and attentional regions decreases with repeated exposure to the same stimulus, a phenomenon termed repetition suppression.[11] Experiments have confirmed this effect in the context of security warnings: static warning designs produce declines in user attention and adherence.[12][13]

Information processing research on phishing indicates that affective cues, such as artificial urgency or fear, increase cognitive load and elicit automatic heuristic processing, reducing the likelihood of analytical evaluation and facilitating compliance with malicious requests.[14][15]

Security fatigue and organizational dynamics

Aggressive cybersecurity postures can sometimes lead to mental and emotional exhaustion, a phenomenon known as security fatigue.[16][17]

Alert fatigue

One example is alert fatigue, which most frequently affects both end-users and security operations center analysts. Continuous exposure to browser warnings or antivirus pop-ups, particularly those that are false positives, conditions users to dismiss alerts automatically due to the volume of notifications rather than their repetitive appearance (see § Neurological and pre-cognitive factors).[18] The scale of this problem is significant in enterprise: SOC teams in large organizations receive thousands of alerts daily, and a survey published in ACM Computer Surveys found that analysts spend over 25% of their time handling false positives, meaning that malicious indicators can be buried in the noise.[19]

Password fatigue

Similarly, password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work. Users cope with the memory burden by making predictable, iterative changes to their passwords (such as updating "Password01!" to "Password02!"), which decreases password security.[20]

See also

References

  1. ^ Anderson, Ross (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.). Wiley. ISBN 978-1119642787.
  2. ^ Adams, Anne; Sasse, M. Angela (1999). "Users Are Not the Enemy". Communications of the ACM. 42 (12): 40–46. doi:10.1145/322796.322806.
  3. ^ Ferreira, Ana; Coventry, Lynne; Lenzini, Gabriele (2023). "Usable Security: A Systematic Literature Review". Information. 14 (12): 641. doi:10.3390/info14120641.
  4. ^ Corbató, Fernando J. (1991). "On Building Systems That Will Fail". Communications of the ACM. 34 (9). doi:10.1145/114669.114686.
  5. ^ Mitnick, Kevin; Simon, William (2002). The Art of Deception: Controlling the Human Element of Security. Wiley. ISBN 978-0471237129.
  6. ^ Vishwanath, Arun; Herath, Tejaswini; Chen, Rui; Wang, Jingguo; Rao, H.R. (2011). "Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model". Decision Support Systems. 51 (3). doi:10.1016/j.dss.2011.03.002.
  7. ^ 2025 Data Breach Investigations Report (DBIR) (Report). Verizon Business. 2025. Retrieved 8 March 2026.
  8. ^ Ho, Grant; Sharma, Aashish; Javed, Mobin; Paxson, Vern; Wagner, David (2019). "Detecting and Characterizing Lateral Phishing at Scale". 28th USENIX Security Symposium (USENIX Security 19). USENIX Association. pp. 1273–1290.
  9. ^ Pattinson, Malcolm; Jerram, Chris; Parsons, Kathryn; McCormac, Agata; Butavicius, Marcus (2012). "Why do some people manage phishing e-mails better than others?". Information Management & Computer Security. 20 (1): 18–28. doi:10.1108/09685221211219173.
  10. ^ Hadnagy, Christopher (2010). Social Engineering: The Art of Human Hacking. Wiley. ISBN 978-0470639535.
  11. ^ Grill-Spector, K.; Henson, R.; Martin, A. (2006). "Repetition and the brain: neural models of stimulus-specific effects". Trends in Cognitive Sciences. 10 (1): 14–23. doi:10.1016/j.tics.2005.11.006.
  12. ^ Vance, Anthony; Jenkins, Jeffrey L.; Anderson, Bonnie Brinton; Bjornn, Daniel K.; Kirwan, C. Brock (2018). "Tuning Out Security Warnings: A Longitudinal Examination of Habituation Through fMRI, Eye Tracking, and Field Experiments". MIS Quarterly. 42 (2): 355–380. doi:10.25300/MISQ/2018/14124.
  13. ^ Ismail, I.; Bakar, N. A.; Zukarnain, Z. A. (2021). "Harnessing the Challenges and Solutions to Improve Security Warnings: A Review". Sensors. 21 (22): 7607. doi:10.3390/s21227607.
  14. ^ Wright, R. T.; Johnson, S. L.; Kitchens, B. (2023). "Phishing Susceptibility in Context: A Multilevel Information Processing Perspective on Deception Detection". MIS Quarterly. 47 (2): 803–832. doi:10.25300/MISQ/2022/16625.
  15. ^ Tian, C. A.; Jensen, M. L.; Bott, G. J.; Luo, X. R. (2024). "The influence of affective processing on phishing susceptibility". European Journal of Information Systems. 34 (3): 460–474. doi:10.1080/0960085X.2024.2351442.
  16. ^ Stanton, Brian; Theofanos, Mary; Prettyman, Sandra Spickard; Furman, Susanne (2016). "Security Fatigue". IT Professional. 18 (5): 26–32. doi:10.1109/MITP.2016.84.
  17. ^ Reeves, Andrew; Delfabbro, Paul; Calic, Dragana (2021). "Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue". SAGE Open. 11 (1). doi:10.1177/21582440211000049.
  18. ^ Akhawe, Devdatta; Felt, Adrienne Porter (2013). "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness". 22nd USENIX Security Symposium.
  19. ^ "Alert Fatigue in Security Operations Centres: Research Challenges and Opportunities". ACM Computing Surveys. 2025. doi:10.1145/3723158.
  20. ^ Florencio, Dinei; Herley, Cormac (2007). "A Large-Scale Study of Web Password Habits". Proceedings of the 16th International Conference on World Wide Web (WWW). doi:10.1145/1242572.1242661.

Further reading

  • Anderson, Ross (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.). Wiley. ISBN 978-1119642787.
  • Cranor, Lorrie Faith; Garfinkel, Simson (2005). Security and Usability: Designing Secure Systems that People Can Use. O'Reilly Media. ISBN 978-0596008277.
  • Schneier, Bruce (2015). Secrets and Lies: Digital Security in a Networked World. Wiley. ISBN 978-1119092438.
  • Singh, Tarnveer; Zheng, Sarah Y. (2026). The Psychology of Cybersecurity: Hacking and the Human Mind. Routledge. ISBN 978-1041005704.
  • Sachs, Dustin S. (2025). Behavioral Insights in Cybersecurity: A Guide to Digital Human Factors. CRC Press. ISBN 978-1032998268.
  • Hadlington, Lee; Ryding, Chloe (2025). Human Factors and Cybersecurity: The Psychology of Online Safety and Security. Routledge. ISBN 978-1032831985.
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.