Abstract
This teaching case addresses the core challenge of why 95% of internal cybersecurity breaches stem from employee error despite massive technology investments. Leveraging behavioral psychology, and featuring cybersecurity consultants Elsa and Maya, the case analytically structures the problem by identifying and examining four key behavioral factors contributing to breaches: Emotional, Cognitive, Negligence, and Diffused Responsibility. It then presents ‘employee conditioning' as a strategic intervention, requiring students to analyze its ethical and operational perils. Ultimately, the case frames a critical strategic decision: developing a resilient cybersecurity posture through the optimal integration of Human-in-the-Loop (HITL) and Human-Out-of-the-Loop (HOOTL) systems. Students are prompted to move beyond awareness training to design an integrated security mindset that systematically addresses human irrationality and the complex interplay of these behavioral risk factors.
Keywords
Introduction
The streets of Belgravia forever seemed to glisten, a thin layer of rain never seeming to lift. Finding themselves back yet again on floor 3, Elsa and Maya had a sense of déjà vu, their combined expertise symbiotically producing more than either could alone, in helping to advise and solve numerous cybersecurity breaches and issues worldwide.
Elsa was still part of the UK government’s NCSC (National Cyber Security Centre), and Maya was with the US’s NSA (National Security Agency) Cybersecurity Directorate. Separately, highly accomplished cybersecurity experts, but together, a force to be reckoned with (Datta and Acton, 2023). They had years of experience in dealing with various cyber breaches, and advising on preventative and corrective action. However, this time they were together as independent cybersecurity consultants, tasked by a company they both knew well with developing a wholly different approach to their cybersecurity, one focusing not on the usual triad of “people, processes, and technologies.”
It was early Spring, and the last time they were together in the building, it was also around the same time of year, as buds began to almost burst on the trees below, and the brightness of the days heralded a warmth that might follow. That time, they were together to advise on endpoints and IoTs. This time, it was different, and the task was specific.
This teaching case examines the critical role of employee behavior in organizational cybersecurity through the collaboration of Elsa (UK National Cyber Security Centre) and Maya (US NSA Cybersecurity Directorate). Despite significant technological investments, the persistence of human-centric breaches, accounting for 95% of incidents, necessitates a shift in strategic focus from technical controls to behavioral psychology. The case analytically structures the problem by identifying key behavioral risk factors and evaluating the efficacy of “employee conditioning” as a strategic intervention. Ultimately, it requires students to design a resilient cybersecurity posture that integrates Human-in-the-Loop (HITL) and Human-Out-of-the-Loop (HOOTL) systems to systematically address human irrationality and behavioral vulnerabilities.
Elsa closed the glass door of the room and sat with Maya at the conference table. Both had become immune to the hum of the air conditioning, the automatic blinds that lowered when someone connected a laptop to the main display screen behind them, and that strange clouding of the glass in the door and corridor walls of the room that stopped anyone passing from seeing inside. “Strange the things we don’t notice,” said Maya, “this too will become ‘silent’.” “Yes,” added Elsa, “and like cyber threats we can’t see, we don’t notice them either.” “Vigilance, and the unseen,” added Maya, “Behaviors are like that, sometimes people aren’t vigilant, don’t see the consequences, or carry on regardless!”
Behavioral underpinnings
Human beings are ostensibly “homo economicus” - Adam Smith’s “Rational Economic Man.” But we are rarely so. We are prey to worries, anxieties, stress, fears, anger, and love, among myriad irrational emotions. Yet, we, the very irrational entities, are endpoints and the first line of action, reaction, and defense in the organizational cybersecurity puzzle. Simply put, we as gatekeepers are capricious and irrational entities defending ourselves and the institutions in which we inhabit and work.
Elsa and Maya were together to specifically focus on the people perspective of the “people, processes and technologies” triad. So many cybersecurity consultancies focus on technologies, specifying technical fortresses based on hardware and software specification (Datta et al., 2022) but rarely is there a primary focus on people (Jones et al., 2022; Reeves et al., 2025). “Actually, even some professional cybersecurity certifications don’t have a clear people focus,” remarked Maya. Both were only too aware that conventional cybersecurity strategies were becoming increasingly ineffectual, as cyberthreats incessantly evolve (Yulianto et al., 2025).
Maya reflected on the insights shared by a senior manager from the client firm during their session the previous day. The manager had observed that while technical controls remain necessary, the organization had become overly reliant on the “technology” segment of the people, processes, and technology triad. He noted that although their workforce is their greatest strength, it also represents a significant vulnerability. Consequently, the firm required a fresh cybersecurity strategy that elevated the human element and acknowledged that the overlaps between people, processes, and technology demand the most rigorous focus. By addressing these intersections, the organization could minimize human-centric risks and strengthen its overall security.
Elsa noted. “After all, employee actions and behaviors are perhaps the most vital factors in maintaining a secure environment. Our primary objective is to decode the behavioral cybersecurity of your employees, So the real value is to offer an end-to-end ‘human’ strategy for behavioral cybersecurity.”
Maya cautioned. “But remember the adage: when good strategies clash with bad habits and cultures, even the best strategies lose. Now that adds a dash of existentialism, doesn’t it?” humored Elsa. “Managerial cultures often expect ample rationality and discernment from employees, and employees are cognizant of this and required to act as such. Yet why do we encounter so many instances contradicting this? Why do employees continue to act in maladaptive ways unbecoming of their duties?”
This case helps (1) categorize behavioral factors in cybersecurity breaches, (2) analyze their theoretical underpinnings, (3) evaluate intervention strategies like employee conditioning, and (4) assess the associated advantages and risks.
Why are employees such a cybersecurity weakness?
Elsa explained, “Employees remain the primary cause of cybersecurity incidents, with a mere 8% accounting for 80% of breaches. While companies rarely publicly blame factors like shame or pride, employee behavior patterns clearly underpin many events. We identified four behavioral factors, notably, Emotional, Cognitive, Negligence, and Diffused Responsibility, as key contributors to high-profile breaches. Categorizing these is essential for developing targeted solutions (Figure 1).” Employee behavioral factors leading to breaches.
Emotional factors
Emotional factors in cybersecurity represent psychological states that compromise rational decision-making and security protocol adherence. Drawing from protection motivation theory (Rogers, 1975) and research on affect and security behavior (Crossler et al., 2013), we understand that emotions influence cybersecurity decisions through three primary mechanisms: (1) cognitive resource depletion under stress, which reduces capacity for threat assessment and protocol recall; (2) fear-driven decision-making that activates system-one thinking and bypasses deliberative security processes; and (3) authority bias amplification, where hierarchical pressure overrides security training.
Emotional factors compromise rational decision-making in security. Fear-driven responses often bypass security training, as seen in the 2024 deepfake scam where an employee, pressured by perceived executive authority, transferred $25 million. Similarly, the 2022 Optus breach in Australia was partly attributed to employees shortcutting security configurations while under significant pressure to innovate rapidly.
Stress and pressure
Employee stress and pressure contributed to the September 2022 Optus data breach in Australia. Millions of customer records were exposed due to an exposed API (Application Programming Interface, which facilitates connecting external web applications to a company’s data, such as the Google Maps API that allows embedding Google Maps on websites and web apps). Its API was exposed because it was public-facing, allowing open access without authenticating: a setup that should not be in place when the API has access to sensitive internal data (Kost, 2024). That data sat in a database with careless, sequential customer numbering, allowing hackers to query the database using incrementing customer ID numbers, and thereby easily extract private records matched to those customers.
Employees, stressed by the pressure of innovating, likely short-cut security and configurations, leading to cascading technical vulnerabilities: the rapid growth of the company and pressure to innovate might have led to shortcuts in security reviews or configurations.
But why? The employees in charge of API configuration did not lack technical proficiency in secure methods; the issue was not a deficit in knowledge. Instead, the urgent demand for innovation exhausted the cognitive energy required for the proper execution of security protocols. When constrained by time, personnel often fall back on Herbert Simon’s concept of bounded rationality, engaging in ‘satisficing' to fulfill basic requirements instead of pursuing ideal outcomes. Consequently, the API was deployed to meet functional needs, yielding immediate rewards for the organization, while security measures were postponed. This situation illustrates that training is often insufficient on its own, as employees may understand the necessary procedures but lack the cognitive bandwidth to implement them under intense pressure.
Fear, authority, and anxiety
In February 2024, a finance worker at a multinational firm was tricked into making a $25 million transfer after participating in a video conference call with someone they believed to be their CFO and other colleagues. The attackers used deepfake technology to impersonate the executives, exploiting the employee’s trust and the authority associated with their superiors. While the worker had initially been suspicious of the email invitation, the hackers’ convincing deepfake video made the employee fearful and anxious of executive repercussions and low performance reviews, leading to the large funds transfer.
Similar widespread phishing campaigns targeting organizations with urgent “invoice overdue” or “account suspension” emails are ongoing, leveraging fears of financial penalties or service interruption to manipulate employees into clicking malicious links or divulging credentials.
Similarly, AI-led Business Email Compromise (BEC) scams, where attackers impersonate CEOs or senior executives to trick employees (often in finance), are ongoing and highly prevalent (Datta and Acton, 2025). Employees are often predisposed to follow instructions from perceived authority figures without critical verification, making them susceptible to social engineering.
The deepfake incident illustrates fear-driven decision-making combined with authority bias. The employee demonstrated appropriate initial skepticism (questioning the email), showing security awareness training had created the knowledge foundation. However, the visual confirmation of authority figures triggered a fear response, specifically, fear of questioning superiors and consequent reputational damage or career impact.
Shame and blame
December 2020 brought about the SolarWinds cyberattack. The SolarWinds Sunburst hack was a sophisticated supply chain attack where employees’ leaked GitHub credentials were used to insert malware into a SolarWinds update (Datta, 2022). However, the aftermath resulted in an internal blame-game of “who missed what” rather than a faster systemic review and patching of security processes. This post-breach shaming and blaming can hinder reactive and proactive defenses and incentivize hackers to try out more social engineering exploits where targeted employees, owing to heightened willingness to not be shamed and blamed. On the other hand, some employees may be either hesitant to report incidents or fully participate in root-cause analysis, prolonging vulnerabilities.
The SolarWinds aftermath demonstrates how shame and blame create secondary vulnerabilities beyond the initial breach. The organizational response - a “blame game” focused on individual attribution rather than systemic analysis, activated two damaging mechanisms. First, it created reporting hesitancy: employees witnessing the punishment of those “who missed it” become risk-averse about reporting subsequent suspicious activities or admitting mistakes. This is the observer effect in organizational behavior: punishment of one employee signals to all others that errors will be punished, not learned from.
Second, the shame response triggered defensive reasoning rather than diagnostic thinking. When employees fear blame, their cognitive energy shifts from “how did this happen and how do we prevent it?” to “how do I demonstrate this wasn’t my fault?” This defensive posture makes comprehensive root-cause analysis nearly impossible, as individuals withhold information to protect themselves. The result: the organization fixes surface vulnerabilities while leaving systemic weaknesses intact, creating conditions for future breaches.
Malicious intent
Insider cyberattacks from employees with malicious intent are on the rise, with 71% of companies experiencing nearly 40 insider security incidents in 2023, up 70% year-on-year (StationX, 2025). In 2018, a disgruntled Tesla employee, unhappy with a reassignment, hacked into the company’s manufacturing systems and leaked sensitive data. Unrelated, a former Georgia-Pacific systems administrator, after being laid off, accessed the company network using old credentials and installed software that disrupted industrial control systems, causing over $1 million in damage. And in 2025, Coinbase customer support agents, likely bribed by scammers, exposed sensitive data of Coinbase users.
Malicious intent among disgruntled employees is particularly dangerous, given that they have deep access to sensitive data and can intentionally leak some, interfere with internal systems, download malware, or corrupt databases or backups.
The majority of insider threats are unintentional, yet unintended consequences can produce vulnerabilities (Triplett, 2022). A person may not recognize the cybersecurity vulnerability in having company data stored on an unlocked old laptop at home, on a USB drive whose location is uncertain, in sharing a login with a colleague, or in mixing technologies more suitable for personal use rather than work use.
Elsa raised a series of questions. “Can companies implement realistic project timelines, establish clear ‘security-first’ mandates that reward safe practices over speed, and provide mental health and stress-management resources? How can companies create a ‘security-friendly’ culture where employees are encouraged (and even rewarded) for questioning suspicious requests, especially from high-level executives (e.g., establishing mandatory out-of-band verbal confirmation for all large transfers)? How should companies develop specific, actionable mitigation plans for real-world scenarios, such as designing a technical and policy framework to prevent the $25 million deepfake scam, or creating a new blameless reporting process for a simulated APT (Advanced Persistent Threat) incident?”
Cognitive factors
Cognitive factors in cybersecurity represent systematic thinking errors that persist regardless of knowledge, training, or emotional state. Humans rely on heuristics, that is, mental shortcuts that usually work efficiently but create predictable vulnerabilities in security contexts. Unlike emotional factors where recognizing stress might trigger compensatory behaviors, knowing about confirmation bias does not prevent it. The bias operates automatically, below conscious awareness. This explains why cybersecurity training focused on ‘raising awareness' of threats often fails, because awareness addresses knowledge gaps, not cognitive architecture that converts awareness into diligence, the ‘actionable' piece of the puzzle (Datta and Krancher, 2024).
Underestimating complexity
As more services become application-based, complexity grows. Each service is a component to larger IT systems; if one is compromised, the whole system is vulnerable. Examples include Salesforce for CRM, Slack for communications, Dropbox for cloud storage, Microsoft 365 for productivity and collaboration, Adobe Creative Cloud for design, video, and web, Asana for project management, Trello for project management, Zendesk for customer service, DocuSign for e-signatures, Zapier for workflow automation, Jira for project tracking and agile methods, Notion for all-in-one workspace, GitHub for code hosting and version control, and QuickBooks for accounting.
Yet, employees in various companies adopt hundreds, often thousands of software services, underestimating complexity. Employees often fail to fully grasp the intricate attack surfaces or potential for vulnerabilities within their extended IT environment. The May 2023 “MOVEit” data breaches affected numerous global organizations due to a critical vulnerability in MOVEit, a popular file transfer software. The organizations using MOVEit likely underestimated the complexity of securing third-party software in their supply chain.
Further, the proliferation of Bring Your Own Device (BYOD) and shadow IT, the unsanctioned adoption of hardware and services outside the purview of IT departments, introduces a layer of unexpected complexity, frequently born from a perceived friction in security controls and a pervasive culture of negligent tolerance.
The 2025 ‘Signalgate' incident serves as a poignant illustration: Pete Hegseth, the US Defense Secretary, inadvertently included a journalist in a Signal group chat while sharing classified documentation regarding military operations in Yemen with senior administration officials. The Signalgate breach underscores the critical intersection where underestimating technical complexity meets convenience heuristics, fostering shadow IT vulnerabilities. By opting for Signal over secure, government-mandated communication channels, officials succumbed to a cognitive bias where the immediate procedural complexity of authenticated systems overshadowed the abstract yet catastrophic risks of operational security protocols and classification requirements.
Confirmation bias
Confirmation bias describes the tendency of employees, including incident response teams, to quickly latch onto the most obvious explanation for a breach without a deeper investigation into systemic issues, implementing superficial fixes that don’t address the root cause.
The May 2021 Colonial Pipeline ransomware attack fixated upon the ransom as the primary focus for reactive attention. This resulted in a conformation bias that anything to resolve the ransom would be adequate to get the organization back on track. While the ransomware was the visible cause, underlying vulnerabilities in their network segmentation and security practices likely played a significant role, which escaped employees’ initial attention. The root cause was missed.
The Colonial Pipeline response demonstrates confirmation bias operating at the organizational level. Confirmation bias, the tendency to seek, interpret, and remember information confirming pre-existing beliefs, manifests in incident response as ‘solution fixation'. The organization encountered a ransomware attack and fixated on resolving the ransom and restoring operations as an obvious solution path, while losing focus on fixing the ‘root causes'.
Risk normalization in cybersecurity
Risk normalization describes a phenomenon where individuals and organizations, over time, become accustomed to a persistent level of threat, leading to a diminished sense of urgency and vigilance. Consider the continued prevalence of phishing attacks despite widespread awareness campaigns, where, for years, employees have been inundated with information about phishing, its dangers, and how to identify malicious emails. Yet, paradoxically, ‘phishing fatigue' can lead to employees normalizing the risks and, by extension, lead to increasing an organization’s attack surface. As employees normalize the risk of phishing, they become more susceptible to sophisticated social engineering tactics, ultimately increasing the likelihood of a successful breach.
Maya inquired. “What might be multiple, conflicting potential root causes beyond the immediate, obvious explanation (e.g., the ransomware attack itself), and to systematically investigate underlying systemic vulnerabilities (like network segmentation flaws) before implementing a fix? How can companies combat complexity to assess the true attack surface by evaluating the interconnectedness of each service, the shared data access between them (e.g., how Salesforce integrates with Slack and Microsoft 365), and the security posture of third-party vendors? How can organizations move past ‘click-this-link’ awareness campaigns to a more effective approach to implement adaptive, gamified training that disrupts the complacency of ‘phishing fatigue’ and keeps the sense of vigilance high?”
Risk normalization represents a paradoxical cognitive failure where increased exposure to warnings decreases perceived threat from fatigue and heuristics where people estimate probability based on how easily examples come to mind. So, frequent phishing simulations and warnings make phishing seem routine rather than dangerous, where each unsuccessful phishing attempt or simulated attack provides evidence that “nothing bad happened,” updating the mental model toward “phishing is common but not personally consequential.”
Negligence factors
Negligence in cybersecurity is typically framed as individual failure - someone “should have known better” or “was careless.” This framing is both psychologically satisfying, identifying a culprit and organizationally convenient, suggesting that the solution is disciplining or replacing individuals, across various negligence types.
Configuration negligence
Employees are primary gateways for configuring IT systems for security. That includes assigning default settings, open ports, or incorrect access policies are common oversights that expose data or systems. However, a lack of awareness, insufficient training, or simple human error can lead to critical oversights that expose sensitive data and systems to malicious actors.
A prominent and ongoing example of configuration negligence is the widespread issue of cloud storage breaches. Companies frequently misconfigure Amazon S3 buckets, Microsoft Azure Blob Storage, Google Cloud Storage, or similar cloud storage instances, inadvertently making them publicly accessible. This often occurs when employees, especially system and network administrators, fail to properly apply access control lists (ACLs) or bucket policies, mistakenly setting permissions to public instead of private or restricting access to authorized users only.
‘Training' the administrator on correct configurations addresses none of these latent conditions. The next administrator faces identical pressures and constraints. Effective intervention requires changing vendor defaults, providing decision-support tools, clarifying ownership, adjusting performance metrics, and implementing automated verification.
Process Negligence
Process negligence in cybersecurity refers to employees’ failure to establish, implement, or consistently follow defined security procedures and protocols. The 2017 Equifax data breach, which exposed the personal information of approximately 147 million consumers, was largely attributed to employees’ failure to patch a known vulnerability in Apache Struts (CVE-2017-5638). Despite a patch being available months prior to the incident, employees failed to craft internal processes for vulnerability management and patching.
Hardcoding credentials is another severe security risk from process negligence. Hardcoding credentials, the process and practice of embedding sensitive information like usernames/passwords and API keys for accessing data, is still a common practice among programmers. For example, storing the username and password for a database connection directly within the application’s source code for fast access rather than in a secure configuration file or as an environment variable. If there were a software supply chain attack (e.g., SolarWinds (Datta, 2022)), any exposed code through a public code repository, misconfiguration, or a data breach, attackers can gain immediate access to the database.
Similarly, developers often embed API keys, which are unique identifiers allowing servers to authenticate and authorize requests from applications, directly into the app’s source code. Attackers actively seek and exploit these credentials to gain unauthorized access to systems, data, and resources. In essence, using hardcoded credentials demonstrates a process failure to exercise a ‘duty of care' in protecting sensitive information.
Unless organizations have well-defined processes, from configuration processes, hardcoding practices, procrastinating and failing to update software and patches, and establishing IRP (Incident Response Plans) processes and drills (post-breach), even the best cyberdefense can fall prey in an evolving cyberthreat landscape.
Training Negligence
Training negligence happens when employees or third-party personnel (e.g., suppliers and vendors) are not adequately educated on cybersecurity best practices, creating a human vulnerability that attackers frequently exploit. The January 2022 Okta breach occurred because a third-party support engineer’s laptop was compromised due to a social engineering attack, and the laptop contained the credentials required to access the company’s internal resources. Similarly, the infamous 2010 Stuxnet attack likely happened because an employee brought in a USB external drive through an air gap at the Natanz nuclear plant in Iran, triggering the Stuxnet malware that severely damaged Iran’s nuclear centrifuges meant for uranium enrichment (Datta and Acton, 2023).
‘Better training' is insufficient if organizations structurally underinvest in it. Effective intervention requires: requiring third-party security certifications, conducting security verification audits, limiting third-party access scope, implementing technical controls (USB restrictions) that compensate for training limitations, and recognizing that relying on human training without technical backup guarantees failures.
Monitoring negligence
Monitoring negligence occurs when employees fail to adequately detect, analyze, and respond to suspicious activities within a network or system, allowing attackers to operate undetected for extended periods, escalating the potential for disruption and data exfiltration. The 2021–2022 extended Lapsus$ hackers’ activities relied on employees’ monitoring negligence to linger in their victims’ networks for months, before exfiltrating data or launching destructive attacks. Comprehensive monitoring involves collecting logs from various sources, utilizing Security Information and Event Management (SIEM) systems, employing intrusion detection/prevention systems (IDS/IPS), and having a skilled security operations center (SOC) team capable of analyzing alerts and responding swiftly to potential threats.
Elsa raised a series of thought-provoking questions. “Given the interconnectedness of technical systems and human behavior, how can we design security processes and tools that minimize the opportunity for ‘Configuration Negligence' or ‘Process Negligence' by making the secure path the path of least resistance for employees, for preventative design and system architecture over simple training? In the context of the four types of negligence (Configuration, Process, Training, Monitoring), where would a student/practitioner’s current role or an organization’s resources be most effectively applied to achieve the greatest reduction in overall risk, and what specific metric would be used to measure that success? If ‘Training Negligence’ is a core human vulnerability, what innovative, continuous, and context-specific methods, beyond annual compliance videos, can organizations implement to foster a genuine ‘duty of care’ culture and ensure security knowledge is applied consistently in daily operational tasks?”
Therefore, the solution is not ‘monitor better' but acknowledging that perfect monitoring is unaffordable for most organizations. This requires strategic choices: what assets merit intensive monitoring? What threats are most likely? Where should limited resources concentrate?
Diffused responsibility factors
Diffused responsibility in cybersecurity reflects a fundamental tension in organizational design: modern technical systems require distributed expertise and effort, while accountability for security failures demands concentrated ownership. This tension creates systematic accountability gaps, spaces where everyone is responsible, therefore no one is responsible.
Vendor assumptions
Organizations often assume their third-party software or service providers have adequate security, without conducting their own due diligence or requiring robust security clauses, leading to inherited risk. The July 2021 Kaseya ransomware attack happened because companies relied on cloud-based Managed Service Providers (MSPs) (Datta, 2022). This diffused responsibility on vendors caused a vulnerability in Kaseya’s VSA software to widely spread across the downstream supply chain, affecting numerous clients.
Organizations hired Kaseya for IT management services, delegating technical responsibility. The information asymmetry: Kaseya knew its VSA software had vulnerabilities; client organizations lacked technical capability to assess Kaseya’s security posture. Kaseya faced incentives to prioritize functionality (attracts clients) over security (costly, invisible), while client organizations faced incentives to minimize IT costs (Kaseya cheaper than internal teams) and maximize functionality, leading to conflicting responsibilities.
Functional, geographic, and regulatory diffusion
As technology integrates into every organizational facet, employees frequently delegate cybersecurity duties to others. Viewing security solely as an IT function leads departments to inadvertently create vulnerabilities. Consequently, many breaches involving misconfigured cloud assets or insecure coding result from a lack of shared responsibility among development, operations, and security teams.
Multinational corporations struggle to maintain consistent security across global offices due to varying cultures, laws, and technological maturity, which expands their attack surface.
Additionally, employees managing diverse data types (like HIPAA, PCI DSS, and GDPR) face responsibility fusion. Managing these complex regulatory frameworks without a unified strategy often leads to overlooked or improperly implemented security controls.
Specialized security teams often inadvertently signal that security is solely their responsibility, a rational but dangerous inference given that most failures stem from outside their direct control. While developers, operations, and employees often trigger breaches, global standardization efforts struggle against local variations in law, infrastructure, and culture. Consequently, multinational organizations face a difficult choice: enforce rigid global standards that ignore local context or adapt policies at the cost of security consistency. Regulatory diffusion stems from the intersection of cross-border data and diverse legal frameworks. Conflicts in mandates, such as HIPAA’s technical focus versus GDPR’s privacy-by-design, alongside differing penalties and audit standards, frequently cause compliance drift.
Elsa questioned, “So, how do we manage these overlapping human and regulatory variables, with the immense challenge of mapping specific regulations to data sets, prioritizing conflicting rules, and maintaining compliance amidst shifting global standards?”
Analyzing employee conditioning: Potential and pitfalls
Behavioral experts Elsa and Maya identified employee conditioning, a classic learning framework, as a vital instrument for correcting recurring cybersecurity lapses and reshaping corporate habits.
Organizations can apply operant and classical conditioning to turn instinctive employee reactions into reliable security practices. By utilizing repeated stimuli and positive reinforcement, these techniques help embed durable security habits throughout the workforce.
Given that human error contributed to 95% of 2024 data breaches, Elsa and Maya advocated for conditioning, encompassing behavioral modification and training as a core strategy. However, they cautioned that such programs require careful implementation to navigate their inherent limitations and potential risks.
“We must treat ‘nudges’ as an essential requirement rather than a theoretical luxury,” Maya noted.
“Nudge theory focuses on crafting digital environments that subtly direct individuals toward safer choices without resorting to restrictive rules. These interventions are designed to make the secure option the most intuitive and effortless path.”
Elsa added that nudges must remain relevant and highly visible at the moment of decision. She emphasized simplification as a critical element: if a secure path is overly complex, employees will likely bypass it.
While standard training often limits its focus to phishing education, just-in-time nudges offer a more precise alternative. A practical example is a contextual alert that appears when a user hovers over a dubious link, suggesting a secure action like reporting the threat before any damage occurs. For behavioral conditioning, Elsa and Maya knew that organizations needed to consider the following (Figure 2). A secure behavioral framework.
Implement adaptive training and tailored learning
To effectively mitigate employee error in cybersecurity, organizations must prioritize investments in adaptive training programs. Recognizing that employees possess diverse learning styles, a one-size-fits-all approach to training is often ineffective. Adaptive training, however, used behavioral analytics to customize learning experiences tailored to individual needs, leading to improved knowledge retention and the development of more robust security behaviors.
Implementing adaptive training in cybersecurity is a multifaceted endeavor that goes beyond simply rolling out new software. It necessitates a deep commitment to understanding the unique learning preferences of each employee. This involves assessing their current knowledge gaps, preferred learning styles (e.g., visual, auditory, and kinesthetic), and even their daily work routines to integrate training seamlessly.
Leverage technology to complement adaptive training
Effective employee conditioning requires leveraging technology to both monitor employee behavior and deliver personalized content. Monitoring, when implemented ethically and transparently, can identify areas where employees struggle with security protocols or are more susceptible to social engineering attacks. This data then informs the creation of highly targeted training modules, delivered through various channels such as interactive simulations, short video tutorials, gamified exercises, or micro-learning bursts, to provide the right information to the right person, at the right time, in a format that resonates with their individual learning style.
Iteratively evaluate employee behaviors
The effectiveness of any adaptive training program hinges on continuous evaluation. This isn’t a one-time assessment but an ongoing process of collecting feedback, analyzing training outcomes, and refining the program based on observed improvements and persistent vulnerabilities. Regular re-assessments of employee knowledge, coupled with an analysis of security incidents (or lack thereof), are vital for demonstrating the program’s value and ensuring its ongoing relevance in the face of evolving cyber threats. This iterative process of understanding, leveraging, and evaluating ensures that cybersecurity training remains dynamic, engaging, and genuinely impactful in strengthening an organization’s human firewall. This strategic investment is crucial for building a resilient cybersecurity posture that effectively addresses the human element of risk.
Consider employee conditioning perils
While the promises of employee conditioning are significant, it’s crucial to acknowledge the potential pitfalls and unintended consequences that can arise if not implemented thoughtfully and ethically. For example, an overemphasis on adaptive training can become a convenient mechanism for organizations to deflect blame and avoid addressing deeper, systemic security failures. For example, the focus on an HVAC contractor employee’s successful phishing click, which led to Target’s 2013 breach, overshadowed critical network segmentation failures within Target’s infrastructure. The breach was not solely due to vendor error but a combination of factors.
Again, tailored, technology-driven iterative employee conditioning can add to cognitive overload and security fatigue. When coupled with a constant barrage of security alerts and messages, this type of behavioral monitoring and intervention can become counterproductive, leading to cognitive overload, desensitization, and ultimately, “security fatigue.”
Balance human-in-the-loop (HITL) and human-out-of-the-loop (HOOTL)
HITL and HOOTL, originally used to describe the level of human involvement in automated systems, particularly those involving Artificial Intelligence (AI), are extremely relevant in cybersecurity. In cybersecurity, HITL systems involve employees actively participating in decision-making, while HOOTL systems operate autonomously with minimal or no employee intervention.
This raises interesting questions about tailored, technology-driven iterative employee conditioning. When should technology meant to monitor and offer feedback to the employee intervene to protect organizational assets? If employee monitoring flags insecure employee behavior or realizes that tailored employee conditioning may not be working, how should the technology (e.g., an AI cybersecurity defense system) intervene? Should technology practice HITL and nudge the employee when employee conditioning fails? How? Or should technology practice HOOTL when employee conditioning fails? Take, for example, the tragic June 2025 Air India crash where pilots mistakenly or negligently turned on the Fuel cutoff switch. Despite years of employee conditioning via training, should aircraft deploy technology that not only monitors and iteratively feeds back information and flags to the pilot but also intervenes and overrides pilot errors by switching back on the fuel?
Conclusion
The remnants of rain on the Belgravia street below had all cleared, and sheets of flipchart found their way to the shredder, ready for composting. Elsa and Maya stopped their discussion. It was late afternoon, and it was time to break. Both knew that employees remained core to an organization’s risk profile and employee conditioning was a thin red line that went beyond mere awareness to enable a proactive and ingrained security-first mindset.
Elsa spoke, “But what do you do when employees prioritize convenience, fall prey to emotions, stay negligent, pass the buck on responsibilities, or act vengefully against their own organizations, for disruption or for profit? The next few years will be particularly interesting with the rise of AI threatening to displace employees. What model will reign in the cybersecurity arena? HITL or HOOTL?”
Maya added, “Our job is unfinished. It’s clear that human behaviors cannot be isolated from one another: there is so much overlap, many dependencies, perhaps some cause-and-effect between factors we have identified. We need a way to tease these out and to determine which behaviors, which factors, which elements are most impactful. And … what we can do about it!”
While the promise of employee conditioning lies in its ability to create more security-conscious organizations and reduce opportunistic attacks, the peril lies in using it as a substitute for proper technical controls, sound organizational processes, and realistic acknowledgment of human cognitive limitations. The future of cybersecurity requires moving beyond the false choice between technical solutions and human training toward integrated approaches that leverage human strengths while compensating for human weaknesses through intelligent system design.
Discussion questions
(1) With 95% of data breaches due to human error, in the context of the various “behavioral factors” discussed (Emotional, Cognitive, Negligence, Diffused Responsibility), how does human behavior complicate cybersecurity management? (2) What are the risks of using employee conditioning and behavioral nudges to improve cybersecurity? Are such risks reputational, operational, financial, ethical, and/or strategic? (3) How do you think organizations can maintain a culture of vigilance and responsibility without inducing blame, fear, reluctance to report, or security fatigue? (4) Do Human-in-the-Loop (HITL) and Human-out-of-the-Loop (HOOTL) systems represent opposing or complementary approaches to controls in cybersecurity? When might each be implemented? (5) The case mentions “risk normalization” and “phishing fatigue.” What steps can organizations take to combat these phenomena and maintain a high level of vigilance among employees regarding pervasive threats like phishing? (6) How might organizational norms contribute to behavioral cybersecurity failures, such as ignoring protocols or blindly following authority? (7) If you were tasked with designing a behavioral cybersecurity strategy on one page, what three elements would be essential? Would achieving one such element lead to tensions in achieving another, or can they be complementary? (8) Maya observes that “Behaviors are like that, sometimes people aren’t vigilant, don’t see the consequences, or carry on regardless!” How can organizations effectively communicate the long-term consequences of poor cybersecurity hygiene to employees in a way that truly motivates behavioral change? (9) The case conclusion sheds some light on how a seemingly simple view of cybersecurity (the people, processes, technologies (PPT) perspective) may not be simple after all. How might a better understanding of human factors provide a new or improved lens through which to explore how people interact with processes and technologies?
Footnotes
Funding
The authors received no financial support for the research, authorship, and/or publication of this article.
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.