The Human Element: Understanding the Psychology of Cybersecurity Defence
By James Rees, MD, Razorthorn Security
Human-related security failures are rarely about incompetence. Most organisations view security as a problem to be solved through training modules, awareness campaigns and strict policies, yet beneath this mechanical approach lies a deeper truth: our relationship with security at work mirrors our basic human needs for safety, belonging and professional dignity.
This disconnect between how organisations approach security and how people actually experience it deserves closer examination. From healthcare to finance, from small businesses to global enterprises, the stories emerging across industries reveal a troubling pattern where fear-based security measures often achieve the opposite of their intended effect.
Following our recent Razorwire podcast episode, Mental Health, Organisational Culture & The Human Side of Cybersecurity, with Lisa Ventura (MBE) and Bec McKeown, this blog takes a look at why traditional security awareness programmes may be causing more harm than good, and explore how forward-thinking organisations are pioneering more sustainable approaches that honour both human psychology and business objectives.
The Problem with Traditional Approaches
The conventional approach to cybersecurity training and awareness has long relied on a simplistic model of periodic training sessions, simulated phishing tests and punitive measures for those who fail to meet security standards. This methodology has proven increasingly inadequate in addressing sophisticated challenges while fostering a counterproductive environment of fear and resentment.
Consider the troubling case of a nurse with 25 years of dedicated service who was dismissed for failing phishing simulation tests three times. This incident exemplifies everything wrong with current approaches to security awareness. The organisation effectively lost a valuable healthcare professional, whose expertise in saving lives was deemed less important than her ability to spot increasingly sophisticated email deceptions.
Moreover, traditional approaches often fail to account for the increasing sophistication of modern cyber threats. With attackers now utilising advanced AI generated content and deep research into their targets, the old advice about spotting grammatical errors or obvious signs of phishing has become woefully inadequate. When standard security training hasn’t evolved to match current threats, organisations essentially set their employees up for failure, whilst maintaining unrealistic expectations about their ability to spot increasingly clever deceptions.
Understanding Organisational Culture’s Impact
The relationship between organisational culture and cybersecurity effectiveness runs far deeper than many businesses recognise. When staff members face tight deadlines and excessive workloads, their capacity for careful consideration of security protocols diminishes considerably, creating vulnerabilities that technical solutions alone cannot address.
The concept of psychological safety within organisational culture plays a crucial role in security effectiveness. When employees fear repercussions for reporting potential security incidents or admitting to mistakes, they’re less likely to raise concerns promptly. This reluctance can lead to situations where minor security issues escalate into significant breaches simply because staff members feel unable to acknowledge their errors without facing severe consequences.
Workplace pressure manifests in various ways that impact security decisions. For instance, when management emphasises rapid task completion over careful procedure following, employees may feel compelled to circumvent security measures they perceive as obstacles to productivity. This cultural dynamic creates a concerning paradox where the organisation’s drive for efficiency actually increases its vulnerability to security incidents. The pressure to ‘just get things done’ can override even well established security protocols, particularly when employees feel their job performance is being measured solely on task completion rather than secure practice.
The challenge extends beyond individual departments to affect entire organisational structures. When senior management demonstrates a casual attitude toward security measures or fails to allocate appropriate time and resources for security related tasks, this attitude cascades throughout the organisation. The resulting culture can create an environment where security becomes viewed as an inconvenience rather than an essential aspect of business operations, leading to systemic vulnerabilities that no amount of technical solutions can fully address.
The Burnout Crisis and Building Better Security Programmes
The mounting pressure on cybersecurity teams has created an unsustainable environment where burnout has become a critical risk factor in organisational defence. Security professionals frequently report operating in a constant state of high alert, with many expressing that they don’t get any respite. This perpetual state of vigilance, combined with the knowledge that they’ll be the first targets for blame when incidents occur, creates a perfect storm for professional burnout and deteriorating mental health among security personnel.
The traditional expectation that security teams should be available 24/7 during incidents is particularly problematic. Without proper shift systems and support structures, team members face extended periods of intense work during crisis situations, often lasting weeks rather than days. This exhausting pattern not only affects the professionals themselves but also impacts their families and personal lives, creating a ripple effect of stress that extends well beyond the workplace.
In response to these challenges, some organisations have begun implementing more positive approaches to security awareness and team support. Notable success has been found in reward based systems where employees earn points for positive security behaviours, such as reporting potential phishing attempts or identifying security concerns. While such systems require careful management to prevent abuse, they represent a significant shift away from punitive measures toward positive reinforcement.
Building better security programmes also involves creating an environment where communication between security teams and other departments flows naturally and constructively. Rather than being seen as obstacles to progress, security professionals should be integrated into project planning from the earliest stages. This approach helps prevent the common scenario where security teams are excluded from important meetings “just in case” they identify security concerns that might delay project completion.
A successful security programme must balance rigorous protection with practical business needs. This includes implementing security awareness training that recognises the different roles and responsibilities within the organisation, rather than applying a one size fits all approach. For instance, healthcare professionals might receive tailored training that acknowledges their primary focus on patient care, whilst still ensuring they understand essential security practices relevant to their role.
Recommendations for Organisations
When developing a robust security programme, organisations must prioritise the creation of psychological safety within their security culture. This extends far beyond basic awareness training to encompass how the entire organisation approaches security incidents and employee mistakes. Rather than fostering an environment of fear and blame, companies should establish clear channels for reporting security concerns without fear of reprisal.
For smaller organisations with limited resources, implementing comprehensive support systems may seem daunting. However, even modest steps toward improving support structures can yield significant benefits. This might include establishing basic incident response rotations, ensuring clear communication channels during crises and creating partnerships with external support services. The key is to recognise that even small organisations cannot afford to ignore the human element of their security operations.
The development of sustainable incident response procedures should be a priority for all organisations. This includes establishing clear protocols for managing extended incidents without exhausting security teams, ensuring family support during crisis periods and maintaining clear communication channels throughout the organisation. Companies should also consider implementing regular “pressure testing” of these procedures to ensure they remain effective and practical under real world conditions.
A crucial recommendation for organisations is the integration of security considerations into broader business operations. Rather than treating security as a separate function that merely creates obstacles, companies should ensure security teams are included in project planning from the outset. This approach helps prevent the common scenario where security concerns are discovered late in project development, leading to costly delays and potential conflicts between security requirements and business objectives.
The Future of Psychological Security
The evolution of cybersecurity is increasingly moving beyond purely technical solutions towards a more nuanced understanding of psychological factors in security effectiveness. This shift recognises that while technology continues to advance, the human element remains both our greatest vulnerability and our strongest potential defence.
The role of legislation and compliance in shaping security culture is becoming more prominent, particularly with the introduction of regulations like DORA in Europe. These frameworks are beginning to mandate more comprehensive approaches to security, including potential consequences for organisations that fail to take security seriously, such as significant fines and potential legal ramifications for senior management.
The emergence of dedicated mental health support in cybersecurity, exemplified by initiatives like the Mental Health and Cybersecurity Foundation, signals a growing recognition of the psychological challenges faced by security professionals. These organisations are working to build communities where security professionals can share experiences, learn from each other and develop better approaches to managing the intense pressures of cybersecurity work.
Looking forward, organisations must develop more sophisticated approaches to building sustainable security cultures. This includes moving beyond basic security awareness training to create environments where security consciousness is naturally integrated into daily operations. Future security programmes will need to balance the technical requirements of protection with the psychological wellbeing of both security teams and general staff, recognising that exhausted, stressed or fearful employees represent a significant security risk, regardless of the technical controls in place.
The integration of cyberpsychology into security planning represents another crucial development for the future. As attacks become more sophisticated, understanding the psychological factors that influence both attackers and defenders becomes increasingly important. This includes developing better approaches to threat assessment that consider not just technical vulnerabilities but also psychological ones, such as the increased risk of data theft during periods of organisational change or staff reduction.
Get in touch to discover how Razorthorn can help with your cybersecurity requirements.
TALK TO US ABOUT YOUR CYBERSECURITY REQUIREMENTS
Please leave a few contact details and one of our team will get back to you.