Impact of Human Factors on Cybersecurity

Impact of Human Factors on Cybersecurity

Introduction

Human factors are the primary source of cybersecurity vulnerabilities, with human errors, such as miscalculations, contributing to over 80% of cyber incidents, data breaches, and malware attacks (Triplett, 2022). Leaders often treat breaches as technological issues, neglecting managerial and behavioral aspects, which leads to insufficient training, poor policy enforcement, and inadequate awareness (Hadlington, 2018). This oversight results in repeated incidents, economic losses, and regulatory penalties. Security fatigue and stress among employees, exacerbated by poor communication within organizations, create silos that hinder effective cybersecurity practices (Nobles, 2018). Employees, often the weakest link, are susceptible to social engineering due to inadequate training or complacency (Dawson & Thomson, 2018). For instance, imprudent behaviors such as sharing passwords or clicking malicious links expose organizations to risks (Aldawood & Skinner, 2019). Limited communication and overextension of employees contribute to stress, which in turn increases errors (Maalem Lahcen et al., 2020). Addressing these human factors requires understanding risks from cultural and enterprise perspectives, as the volume of information processed daily can overwhelm employees, making cybersecurity a daunting task (Triplett, 2022). A shift toward human-centric leadership is crucial for effectively mitigating these vulnerabilities.

Analysis

Triplett (2022) proposes a multifaceted approach to address human factors in cybersecurity leadership, emphasizing education, awareness, and communication. He advocates for processes to reduce human errors by fostering a collaborative security culture, mitigating stress-induced mistakes (Parenty & Domet, 2019). Effective communication plans should engage employees emotionally and socially, ensuring cybersecurity is viewed as integral to the business model (Triplett, 2022). A key recommendation to expand the chief information security officer’s (CISO) role to oversee all cybersecurity aspects, requiring not only technical expertise but also business acumen and interpersonal skills to bridge the gaps between management and technical staff (Triplett, 2022). CISOs should incentivize best practices, develop social capital to manage nontechnical employees, and implement accountability through a cybersecurity charter that sets clear goals (Parenty & Domet, 2019). Leadership development programs focusing on team building, self-awareness, emotional intelligence, and trust are essential to support this expanded role (Triplett, 2022). Coaching and monitoring employees can further reinforce accountability while addressing workplace conditions that contribute to security fatigue (Hadlington, 2018). By viewing cybersecurity as a business strategy rather than a technical operation, leaders can align organizational goals with security practices (Nobles, 2018). Triplett’s approach highlights the importance of CISOs communicating effectively with subordinates, ensuring employees adopt appropriate cybersecurity practices and thereby reducing vulnerabilities stemming from human behavior (Aldawood & Skinner, 2019). This holistic strategy integrates human factors into cybersecurity leadership to enhance organizational resilience against evolving threats.

Triplett’s (2022) emphasis on human factors in cybersecurity leadership is supported by several studies. Korovessis et al. (2021) advocate for a holistic approach, viewing humans as the first line of defense, aligning with Triplett’s focus on behavior-driven strategies. Similarly, Mofrad et al. (2025) propose an interdisciplinary framework integrating psychological and organizational dimensions, emphasizing emotional intelligence in leadership, which supports Triplett’s call for enhanced CISO skills. Thorn (n.d.) notes that 90% of cyber failures stem from human error, reinforcing the need for human-centric strategies as Triplett suggests.

However, Triplett’s approach has several weak spots. These include a lack of novelty, insufficient depth of study, and drawing a general conclusion that “human as the weakest link,” which is already well-established. Other researchers, such as Chamorro-Premuzic (2023), suggest that AI-driven solutions could reduce human error, implying that Triplett’s human-centric focus might overlook technological advancements. Similarly, SoftProdigy (2023) advocates for a balanced approach that combines human and technological solutions, suggesting that Triplett’s emphasis on human factors alone may be incomplete.

Additionally, Real-world examples highlight challenges in implementing Triplett’s solutions. The 2019 Capital One breach, where a misconfigured firewall led to a data breach affecting over 100 million customers, occurred despite a CISO’s presence, resulting in the CISO’s replacement (CSO Online, 2020). Similarly, the 2017 Equifax breach, caused by an unpatched portal, exposed 143 million records, leading to the departure of the CSO and CIO (CSO Online, 2020). These cases demonstrate that expanding the CISO role and implementing training do not guarantee success, as organizational complacency and technical oversights persist (Baskh & Almukahal, 2024). Factors like inadequate policy enforcement and stress-induced errors, as noted by Triplett (2022), contributed to these failures, underscoring the complexity of addressing human factors.

These examples and critiques highlight that while Triplett’s focus on human factors is valid, practical implementation faces significant hurdles, including resistance to cultural change and the need for balanced technological integration (Dawson & Thomson, 2018). Effective cybersecurity leadership requires addressing these challenges to ensure human-centric strategies translate into tangible outcomes.

Alternative solutions to Triplett’s (2022) human-centric approach include economic and organizational strategies. Wessels et al. (2021) propose economic incentives, such as linking performance to compensation and leveraging network externalities, to motivate cybersecurity leadership. This contrasts with Triplett’s focus on education by emphasizing financial drivers to encourage proactive security measures. Dalal et al. (2021) suggest fostering collaboration through norms, enhancing social maturity, managing diversity, building trust in automation, and developing resilience strategies. These approaches prioritize team dynamics and organizational culture over Triplett’s CISO-centric model, offering broader engagement across staff levels.

The impact of firm size on cybersecurity is also significant. Chidukwani et al. (2022) highlight that small to medium-sized businesses (SMBs) face higher proportional costs from cyberattacks, with 60% closing within six months post-attack due to limited resources. In contrast, larger enterprises benefit from greater budgets and specialized teams, enabling more robust defenses (Chidukwani et al., 2022). This suggests that Triplett’s solutions, while applicable, may require tailoring for SMBs, which struggle with implementing comprehensive training or expanding CISO roles due to resource constraints.

These alternatives complement Triplett’s (2022) framework by addressing motivational and structural factors. Economic incentives can drive leadership accountability, while collaborative strategies enhance employee engagement, thereby reducing vulnerabilities such as those from security fatigue (Hadlington, 2018). Firm size considerations underscore the need for scalable solutions, ensuring that cybersecurity strategies align with an organization’s capacity (Chidukwani et al., 2022). Integrating these approaches with Triplett’s human-centric focus could create a more resilient cybersecurity framework.

Conclusion

Keywords: #AI/ML #Artificial Intelligence #Machine Learning #Cybersecurity #CISO #Business #Security