Creating a strong security culture is crucial for organizations to protect themselves from cyber threats. However, this isn’t easy, and many organizations struggle to achieve this culture as they focus on raising awareness or, in some cases, blaming and punishing individuals when security incidents occur. This approach isn’t effective and can even make security risks worse.

It’s important to understand that many security incidents happen because of human behavior, such as falling for phishing attacks or using weak passwords – but these incidents aren’t solely the fault of individuals. They’re influenced by various factors, including the systems and processes in place, the policies and environment of the organization, and other organizational factors.

To truly address these issues, we need to take a “human factors” perspective. This involves examining how people interact with security systems and processes and understanding the underlying causes of security incidents. By doing so, organizations can develop strategies that prioritize the human element in cybersecurity and create a culture that promotes security awareness and best practices.

What are human factors?

Human factors in cybersecurity explore how human behavior influences the security of computer systems, networks, and data. These factors explain how people interact with technology and how their actions can either contribute to or undermine the security of information systems.

The field of human factors utilizes knowledge of human capabilities and limitations to identify and mitigate the risks of cybersecurity incidents within systems or organizations.

Taking a human factors approach means changing the way organizations think about cybersecurity. This methodology is similar to how the aviation and health and safety industries have successfully implemented this approach over the past 30 years. In the past, these industries focused on individual actions rather than considering the broader impact of human factors and other organizational factors.

Why are they important?

From blaming to understanding

When a security incident happens – like an employee falling for a phishing email –  organizations often focus on finding someone to blame. This blame-centered approach can lead to punishment for employees instead of addressing the real causes of the incident. But this approach can actually make things worse by making employees feel demoralized and less trusting of the organization’s security measures.

A better approach, based on human factors, recognizes that incidents are often caused by bigger problems, not just individual mistakes. By understanding how individual abilities and limitations interact with systems, processes, and the organization’s culture, we can get to the root of security issues.

Identifying the underlying issues

Human factors analysis helps identify the root causes of security incidents by examining individual, team, and organizational dynamics. This includes understanding how human cognition and decision-making processes can lead to errors, the impact of team dynamics such as communication and leadership, and the influence of organizational factors such as policies, procedures, and management practices.

Moving beyond awareness and training to foster a security culture

Instead of just giving people training to raise their awareness, a human factors approach goes deeper. It looks at the culture of the organization and how security is seen and practiced by everyone, from the top to the bottom. By creating a strong security culture, organizations can prioritize security in all daily operations.

What benefits does it bring?

The UK’s National Cyber Security Centre advocates for a people-centric security approach, emphasizing the importance of harnessing the potential of individuals within organizations to create positive security cultures. This approach offers three long-term benefits to security:

  • Enhanced resilience: By empowering employees to identify issues and propose improvements, organizations can increase their resilience. This fosters a culture of continuous improvement and strengthens problem-solving capabilities.
  • Open communication: Establishing open communication channels, free from the fear of negative consequences, encourages employees to discuss security issues openly. This reduces the likelihood of resorting to shadow IT services and promotes a more secure environment.
  • Inclusivity: Prioritizing inclusivity and cultivating an understanding of the purpose behind security rules not only enhances employee well-being but also contributes to improved retention rates. This, in turn, drives overall organizational success and strengthens security measures.

How can Immersive Labs help?

I’m thrilled to share some exciting news with you! We’ve just launched our brand new lab collection called “Human Factors in Cybersecurity.” This collection has been designed by our in-house Chartered Psychologist to provide you with an introduction to human factors in cybersecurity.

By exploring this collection, you’ll gain valuable insights into the psychology behind how people make security mistakes. You’ll also delve into the crucial role of usable security, awareness, and behavior change interventions in mitigating these risks.

The collection consists of six interactive labs that will empower you with the fundamental principles of human factors. You’ll have the opportunity to study famous cases from aviation, safety science, and cybersecurity, understanding their impact on both individuals and organizations. Additionally, you’ll receive invaluable tips on how to cultivate a strong security culture within your own environment.

To learn more about how Immersive Labs can help evolve your cybersecurity culture, visit our Resources Center.

Check Out Immersive Labs in the News.


January 12, 2024


John Blythe