When it comes to cyber-related crimes such as data breaches and deepfakes, none of us must look very far for a story that hits close to home. But there’s a problem with this. We tend to look at ourselves, searching for the mistakes we made, the phishing link we clicked on, or the deepfake we fell for. It is always a case of “we got attacked, what did we do wrong?”
That is not to say that we are unaware of the existence of cybercriminals. But are we sufficiently aware of the context in which these attacks succeed? For years, cyberattacks based on “human error” have reinforced the idea that employees are the weakest link in cybersecurity. This is then followed by pointing the finger of blame toward the CISO and the cybersecurity teams that seemingly failed in their jobs.
However, experts like Bruce Hallas, founder of Re-thinking the Human Factor™, argue that this misses the bigger picture. As he describes in the latest episode of the Thales Security Sessions podcast, most breaches are not the case of one person failing; they are the product of a system that failed to support that person in making the right choice.
Why Human Error Isn’t the Whole Story
Astute cyber criminals have long understood the psychology of decision-making. They design phishing emails, deepfake voice messages, and social engineering attacks to exploit our cognitive shortcuts: fear, urgency, curiosity, or even simple distraction. Under the pressure of modern work, these tactics are highly effective.
Bruce points out that organizations, regulators, and courts still talk in terms of “education and awareness.” The mantra is to train employees, run phishing simulations, and remind people to be vigilant, and that is often seen as enough; from this, these organizations expect behaviour and culture change. But frankly, when a company relies on scheduled training sessions alone, it is setting its people up for failure.
In short, an employee who clicks on a phishing link doesn’t lack awareness. They have been taught to spot suspicious emails. What they lack is the right environment, one that makes the secure choice easier than the insecure one.
Learning a lesson from streaming social media
Consider how social media platforms operate. They are carefully and intelligently engineered to influence user behaviour. They use design, feedback loops, and behavioural science to keep people coming back and clicking. So, why don’t we do the same for cybersecurity? The science of understanding human behaviour exists, as these technologies show, but it has not penetrated the organizational environment.
Imagine a workplace where the culture and system were designed to nudge people toward security. How about a mail filter that adds visible, context-rich warnings on external or unusual emails? “That’s been done,” people will say. Big yellow warnings that announce an email as coming from an external address. But these are not wholly effective, because people go blind to messages that they see consistently. They don’t get noticed after the first day. Such blindness is called habituation or warning fatigue. When every message looks urgent, people start tuning them out, and that’s when attackers slip through.
Security isn’t just about technology or policies; it’s about the environment people operate in. If employees feel constant time pressure, if reporting suspicious activity takes too long, or if leadership views security as an obstacle to productivity, then human error becomes inevitable.
Rethinking Responsibility
One of the toughest questions Bruce raises is this: whose responsibility is it to secure the organization? The individual employee or the culture and leadership that shape their actions? Yes, individuals must remain alert. However, placing the full weight of security on employees’ shoulders is unrealistic. Culture doesn’t change overnight, and behaviour doesn’t shift just because of one training session. Leaders must take responsibility for building systems that reduce risk. Here are some possible approaches:
- Make warnings contextual and adaptive. Instead of static banners on every external email, tailor alerts based on risk level. This reduces “noise” and keeps warnings meaningful.
- Keep cyber-safety training short, frequent, and engaging. Replace annual one-hour sessions with frequent and consistent “micro-trainings” of two or three minutes that include storytelling. Not only would a case study stand a greater chance of being remembered, but a gamification element could also be added to assess, for example, whether an employee clicked on the “check out this story” link without questioning it.
- Empower employees rather than policing them. Frame their vigilance as part of their role in protecting colleagues and the company.
- Lead by example. As always, executives and managers should become visible role models of good habits and should also own up to making the same types of mistakes. When leaders show they’re not immune, the rest of the culture follows.
- Build resilience, not just awareness. Expect that, eventually, some phishing emails and deepfakes will always slip through and, then build, practice, and communicate techniques for mitigation. This creates a safety net and reduces overreliance on human attention alone.
These techniques are essential in a world where cybercrime operates and innovates by the second, while companies still work on weekly and annual cycles. This includes:
- Defining “culture” clearly. A shared definition is the first step to change.
- Applying proven behavioural frameworks to guide secure decision-making.
- Balancing control with trust and innovation. Leaders must find the right balance.
- Committing to continuous reinforcement, including iterative learning techniques over time and in different contexts. Annual training fades quickly, as the Ebbinghaus forgetting curve shows, so security awareness must be ongoing, embedded in daily workflows, and supported by leadership at every level.
Turning the Weakest Link into the Strongest Ally
Leadership must acknowledge that the concern isn’t just with technology or employee negligence. It is a cultural thing. Instead of blaming employees for mistakes, organizations should rethink the human factor. The challenge for leaders is to design systems and cultures that use the same insights used by social media and by cybercriminals themselves, to protect rather than exploit.
Listen to the full Thales Security Sessions podcast episode with Bruce: “From Awareness to Action – Building Cybersecurity into Culture” online, or wherever you get your podcasts.
You can also join Bruce for a for his Human Factor Masterclass series of events which will take place online and across the UK and Europe from November 2025. More information HERE.
Steve is a specialist in organizational psychology, focusing on the interaction of people, technology and change. He holds degrees in journalism and psychology, and is pursuing a PhD in Psychology, focusing on brain/technology interaction.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.