(Part 2 of a three-part series. Read Part 1 here).
Authors: Jamie Douglas, Andy Andrews and Matt O’Sullivan
“If people are the biggest risk, how do we manage them?” It sounds logical. But it starts from the wrong place.
This idea has become one of cybersecurity’s most damaging myths. It encourages blame instead of design, compliance instead of capability, and control instead of trust. When something goes wrong – a phishing click, a misconfiguration, a missed alert – the reflex is to point to the person.
But the truth is simpler: people often respond to the incentives, pressures and signals embedded in their environment. Organisational systems and leadership signals strongly influence how people behave.
Why “People Are the Weakest Link” is Strategically Dangerous
Calling people the weakest link creates a false division between humans and systems. It treats behaviour as a liability to be controlled rather than an asset to be developed. It also deflects responsibility: if “people” are the issue, then leadership and system design are off the hook.
When people break rules, override controls or ignore warnings, it is often because the organisation rewards speed, responsiveness or convenience over security. The better question isn’t “Who chose to bypass the rules?” but “What in the environment encouraged or enabled that?”
Why Humans Are the Heart of Cyber Resilience
Technology enforces consistency; humans manage ambiguity.
When controls fail, and they will, people detect the anomalies, interpret incomplete signals and restore operations.
People are the adaptive component of cybersecurity systems. They:
- Detect unusual behaviour that automation misses
- Recognise manipulation that bypasses filters
- Make time-critical decisions under uncertainty
- Restore operations after incidents
Cyber resilience depends on how humans respond when the technology alone cannot.
Verizon’s 2026 Data Breach Investigations Report1 found that the human element was present in 62% of breaches. So human behaviour clearly matters, but are organisations consciously developing the competencies that shape it?
The Competencies That Actually Protect the Organisation
An employee’s ability to recognise unusual behaviour or to escalate uncertainty often matters more than policy completion rates.
Resilient organisations develop the behavioural, cognitive and technical capabilities that help people make effective decisions under pressure. These include competencies such as:
- Risk Assessment: the ability to make calibrated decisions when information is incomplete and speed matters. This capability often determines whether genuine threats are escalated appropriately or missed entirely.
- Critical Thinking: the ability to question assumptions, challenge established practices, and apply independent judgement to ambiguous situations rather than relying solely on accepted approaches.
- Adaptability: cyber threats evolve constantly and resilient individuals can respond effectively to unfamiliar, rapidly changing situations rather than relying solely on established patterns.
- Analytical Thinking: the ability to notice subtle inconsistencies, unusual behaviour or weak signals before a threat is formally identified.
- Emotional Intelligence: particularly important in resisting social engineering attacks that exploit urgency, fear, authority or helpfulness.
- Communication: the willingness and ability to escalate uncertainty clearly and early, even when the situation is ambiguous.
These competencies directly influence whether warnings are investigated early or ignored as noise. Yet few organisations systematically define, assess or develop them.
Research by Ipsos2 found that only 29% of the businesses surveyed had conducted a cybersecurity risk assessment in the previous year, and 30% had a formal incident response plan. The evidence from this research suggests that many organisations still approach cyber resilience primarily through technical controls and awareness activities, rather than through the structured development of human capability.
That disconnect creates a significant resilience gap.
How to Design Organisations That Enable Secure Behaviour
Improving cybersecurity isn’t about perfecting individuals, it’s about building environments where secure behaviour happens naturally. Resilient organisations deliberately design systems, workflows and leadership behaviours that support sound security decisions under real-world conditions.
If human behaviour shapes cyber outcomes, then organisations must deliberately design for how people actually work and make decisions by:
1. Making behavioural expectations specific
Generic policies like “be vigilant” offer little practical guidance. People need to know how to respond when demands conflict or pressure increases.
Clear, role-based expectations help anchor secure behaviour in operational context. For example: “Verify all payment changes through a secondary channel before approval.”
The Lexonis competency framework, for example, explicitly defines behavioural indicators for various levels of proficiency for each competency. For instance, the Emotional Intelligence competency definition includes behavioural indicators such as the following (across a number of proficiency levels):
- Reflects on emotional triggers and adjusts behaviour based on feedback and outcomes.
- Manages emotional responses under moderate pressure and recovers constructively from setbacks.
- Anticipates emotional responses and consciously leverages strengths while mitigating limitations.
- Maintains composure in complex or high-stakes situations and models constructive emotional behaviour.
2. Building psychological safety for escalation
Employees are less likely to escalate concerns when being wrong is punished or discouraged.
Research by Cohesity3 found that many employees limit escalation pathways during cyber incidents: 43% said they would report a potential breach only to their line manager. In comparison, 7% said they would not report it at all.
In cybersecurity, delayed escalation often increases operational risk.
Research on psychological safety4 consistently shows that employees are more likely to raise concerns, report mistakes and address uncertainty when organisations create environments where speaking up is supported rather than punished.
Resilient organisations normalise early questioning and treat escalation as a responsible action rather than a failure.
3. Using leadership as a key behavioural cue
According to the 2026 Cyber Security Breaches Survey2 72% of businesses surveyed reported that cybersecurity was a high priority for their senior management (much higher among large and medium businesses, 96% and 92% respectively). However, priority alone is not sufficient – leadership behaviour ultimately determines how those priorities are understood and acted upon in practice. This is because people rarely follow policies alone, they follow organisational signals.
If leaders bypass controls to move faster, others will usually follow suit. Conversely, when leaders openly question risks, support caution under pressure and reinforce secure trade-offs, those behaviours become culturally reinforced.
4. Making security part of how work gets done
Security becomes harder to sustain when it disrupts workflow or creates unnecessary friction.
Studies on cybersecurity fatigue have found that repetitive access requests, excessive security checks and workflow disruption contribute directly to disengagement and neglected security behaviour. Security can’t be an afterthought. It must integrate into daily workflow so that the secure choice is the easiest choice.
Research5 into human factors in cybersecurity increasingly shows that security controls are more effective when aligned with operational workflow and human behaviour, rather than added as separate compliance burdens.
What does this look like in practice?
- Single sign-on and MFA are streamlined rather than obstructive
- Suspicious email reporting is reduced to a single click
- Approved collaboration tools are easier to use than external alternatives
- Security prompts appear at the point of decision, not buried in policy documents
- Automated patching reduces unnecessary cognitive load
When security is integrated into everyday workflow, secure behaviour becomes easier, more consistent and less dependent on constant vigilance. Employees no longer need to choose between productivity and security because the secure option is built into how work gets done. This requires a shift in organisational focus, from enforcing controls to designing conditions that support secure behaviour.
Behaviour as a Strategic Asset
The future of cybersecurity maturity won’t be defined by the number of tools or size of the security team. It will be measured by how well organisations enable human capability across all roles.
Organisations that improve decision-making, escalation behaviour and adaptive learning will recover from incidents faster and with less operational disruption.
Attackers have long exploited human behaviour systematically; defenders now need to apply the same level of behavioural understanding.
Conclusion: People Are the Solution
People aren’t the weakest link; they are a critical element in cybersecurity, capable of adapting, learning and recovering when controls fail.
The challenge for leadership is not managing people as risks but designing systems that unleash their capability.
Awareness training alone is not enough. Organisations must deliberately design for secure behaviour, adaptive decision-making and human resilience.
Achieving this requires a more structured approach that underpins security performance. At Lexonis, we help organisations do exactly that by defining and developing the human capabilities that drive measurable security outcomes.
Want to take the next step?
Book a chat and a demo with Lexonis today.
Interested in learning more?
See for yourself how the skills framework from the Chartered Institute of Information Security (CIISec) latest skills framework translates into real role design, skills assessment and planning inside the Lexonis TalentScape platform.
Register to watch our live demo:
CIISec Skills and Jobs Framework in Action
References:
1 Verizon Business (2026), Data Breach Investigations Report.
2 Ipsos (2025/26), The UK Government’s Cyber Security Breaches Survey 2025/26.
3 Cohesity UK (2025), “Why are so many businesses still failing when it comes to cyber resilience?”
4 CIPD (2024), Trust and psychological safety: An evidence review.
5 Cassidy Norton, Zainab Ruhwanya & Jacques Ophoff (2025), Factors Contributing to Cybersecurity Fatigue (International Symposium on Human Aspects of Information Security and Assurance paper).
