Most humans have a great deal of difficulty dealing with security issues. This problem is well-known and the standard response is to blame the user, but the real problem is the fact that millennia of evolutionary conditioning has caused humans to act, and react, in predictable ways to certain stimuli and situations, to the extent that in some cases no (normal) human would respond to a security system in the way that its designers intended. This talk looks at what the field of cognitive psychology can tell us about the (often surprising) ways in which the human mind deals with computer security issues, providing insight both for defenders who need to design systems for the way that real people think rather than for an abstract ideal, and for attackers who want to exploit the weaknesses of security interfaces at the human level.