One of the most persistent misconceptions in cyber security is the belief that human risk is primarily a people problem. In reality, it is also a design problem and increasingly, boards, regulators, and threat actors alike recognise it as such. As cyber risks continue to evolve, driven by digital transformation, threats are shifting from targeting systems to exploiting people and their identities.
Research consistently shows that the vast majority of cyber incidents involve human error. In fact, over 90% of breaches involve the human element, emphasising the importance of human centric security strategies. Yet most organisations continue to respond by increasing security training, tightening policies, and adding layers of control. Despite decades of investment, why are incident levels still so stubbornly high?
The explanation is uncomfortable but clear: many security failures occur not because people are careless, but because the environments in which they operate are misaligned with how work actually gets done.
When security slows execution, interrupts workflow, or makes the secure path harder than the alternative, behaviour adapts predictably. Shortcuts emerge. Informal practices normalise. Controls are bypassed, sometimes unintentionally, sometimes deliberately. This misalignment often leads to credential misuse and data loss, which are common consequences that can result in unauthorised access, breaches, and exposure of sensitive information.
Resilience rarely collapses suddenly. It erodes. And when it does, the consequences are operational as much as technical: disrupted services, financial loss, regulatory scrutiny, and damaged trust. The importance of addressing these issues cannot be overstated, as it is essential to protect organisational assets, people, and reputation.
Forward looking organisations are recognising a critical truth: cyber security threats now predominantly target people instead of systems, making the human element central to effective security.
Security strategy that works in theory but fails in practice is not resilience, it’s exposure.
Security as Friction Is a Structural Risk
Across industries, a familiar pattern persists. Complex password requirements drive insecure storage and credential reuse and many becoming inpatient with multi factor authentication. Reusing passwords is a common insecure behaviour, often resulting from password fatigue or the difficulty of remembering multiple complex credentials without appropriate tools. Authentication processes disrupt workflow continuity, encouraging shortcuts. Approval chains designed to control access instead teach employees how to route around them when urgency rises. On paper, these environments appear controlled. In reality, they are fragile.
The gap between documented control and operational behaviour, including the limitations of security policies, creates the conditions for both unintended error and deliberate misuse.
The issue is not awareness alone. Most professionals understand what is expected of them. The deeper problem is structural: security is too often experienced as friction competing with productivity, service continuity, and commercial outcomes. Faced with this tension, people respond rationally. They prioritise delivery, and security practices are often compromised under operational pressures. Over time, workarounds become embedded in the operating model. Vulnerabilities accumulate quietly until they surface as incidents.
Poorly aligned security protocols therefore create a dual cost. Not only does it elevate cyber risk management, but it also suppresses operational efficiency. The shift towards human-centric security is driven by the realisation that traditional security awareness programs have failed to reduce unsafe employee behaviour.
Organisations that redesign controls so the secure path is also the easiest path achieve something strategically powerful: they reduce exposure while improving execution. Cultivating an effective security culture becomes a strategic advantage — security stops being organisational drag and starts enabling performance.
Accountability Has Changed the Conversation
The shift underway is not driven solely by attackers. It is being accelerated by regulators. Supervisory expectations have moved beyond demonstrating that controls exist. Increasingly, regulators are asking a far more demanding question: Can the organisation continue to operate securely and focus on mitigating security risks when conditions are no longer normal?
On the frontline, this includes scenarios where:
- Operational pressure intensifies
- Decision velocity increases
- Systems degrade
- Suppliers fail
- Human error rises
- Malicious behaviour is attempted
In these situations, leveraging advanced tools is essential to support secure operations under stress and to detect and respond to sophisticated threats effectively.
This question reaches far beyond cyber tooling. It interrogates how organisations behave under stress and whether important business services remain within tolerance when disruption occurs.
For boards, this marks a governance inflection point. Cyber resilience is no longer a technical matter that can be delegated downward. It is now directly tied to operational continuity, financial stability, regulatory confidence, and enterprise value. Improving security culture requires sustained leadership, buy-in, and investment from the top of the organisation.
Leading organisations understand that resilience is not merely defensive, it is commercially material and becoming a performance characteristic. Those that design security to function in real conditions experience fewer operational disruptions, lower incident costs, faster recovery, stronger execution under pressure and ultimately, greater stakeholder confidence.
From Behaviour Correction to Environment Design
The organisations responding most effectively are no longer attempting to “fix people.” They are redesigning the environments in which decisions occur. To support this, it is essential to build relationships across teams such as HR, IT, communications, and leadership to foster collaboration and strengthen the overall security culture.
Rather than relying primarily on vigilance, they embed security directly into workflows, tooling, and operational processes. This not only reduces reliance on individual effort but also strengthens guardrails against misuse. Controls are aligned to real roles meaning security supports decisions in real time. Put into action, this ensures operational pressures are designed for, not ignored.
This shift is particularly critical in highly regulated sectors such as financial services and critical national infrastructure, where resilience extends well beyond corporate IT estates.
Large portions of the workforce operate across branches, control rooms, operational sites, and data centres, all environments where access decisions are simultaneously physical and digital, and where hesitation carries real-world consequences for everyday citizens. When resilience is designed only through a traditional cyber lens, organisations often default to manual processes, shared access, inconsistent safeguards, or locally developed workarounds creating vulnerabilities that can be exploited by social engineering attacks.
The result is predictable: A widening gap between policy and practice and rising operational risk. By contrast, organisations that align security with the realities of delivery streamline execution, strengthen accountability, reduce avoidable delay, and protect revenue-generating services. Security becomes less about restriction and more about enabling reliable performance. Effective security culture initiatives require collaboration between security, human resources, IT, and communications teams.
Critically, these organisations validate their designs, meaning assurance shifts from theoretical to observable. Through scenario testing, operational exercises, and real-world simulation, they generate evidence that controls hold under pressure. This comprehensive approach combines technical defences with human-centric resilience to address evolving threats.
To improve security culture, organisations must engage with and educate the workforce, understanding what drives behaviours.
The Emergence of Human Centric Security and Resilience
Out of this shift has emerged a more mature operating philosophy: Human Centric Resilience, rooted in the principles of human-centric security.
Human centric security differs from traditional approaches by prioritising the understanding and integration of human behaviour, psychology, and interactions within cyber security measures. This represents a fundamental change in how organisations approach security moving away from purely technical controls to strategies that recognise employees as valuable allies, not just potential risks, in the fight against cyber threats.
Let’s take a theoretical example with a financial services firm that implemented a human centric security program that combined behavioural analytics with ongoing, engaging cyber security education. By focusing on employee experience and making security practices intuitive and relevant, the organisation saw a significant reduction in phishing incidents, data breaches and emerging threats. Ultimately, by fostering a culture where employees are actively engaged in identifying and reporting threats, a proactive approach can be the difference in preventing threat occurring and losing sensitive data.
Organisations are resilient when they are designed to operate securely in the real world, not just in control frameworks. Human-centric security recognises that over 90% of data breaches involve the human element, and that threat actors predominantly target people rather than systems. As traditional security perimeters dissolve, accelerated by remote work and digital transformation, organisations must prioritise employee experience and well-being in the design and implementation of security controls.
This requires anchoring security to important business services rather than abstract control sets, understanding where human judgement materially affects outcomes, and shaping environments that guide behaviour toward secure action while constraining unsafe or malicious activity. A human-centric model fosters a culture of collaboration, empathy, and shared responsibility, where employees transition from liabilities to active defenders against cyber threats.
Just as importantly, it requires evidence, not assumptions, that services can remain within tolerance during disruption. Effective human centric security demands a holistic strategy that addresses both technical robustness and behavioural resilience, integrating human behaviour insights and ongoing cyber security education to build a security-conscious workforce. Organisations with a resilient security culture where employees are actively engaged and security teams are dynamic, positive, and business-focused, see 30% fewer security incidents than those without one.
By removing the structural conditions that drive unsafe behaviour and understanding that people are the most important asset, organisations can: lower incident frequency, reduce operational drag, protect revenue and improve execution consistency, strengthening stakeholder trust in the long term.
The most resilient organisations do not simply recover faster; they fail less often. Through deliberate design and continuous validation, they reduce exposure before it materialises, enabling more predictable operations and supporting long-term value creation.
Why Boards Are Paying Attention
For boards, this evolution presents both a strategic challenge and a material opportunity. Organisations that embed resilience into their operating model do more than satisfy regulatory expectations, they perform with greater consistency and confidence.
By supporting secure behaviour and constraining misuse, they minimise disruption, protect critical services, protect sensitive information through effective security practices, and strengthen organisational trust. Those that fail to adapt face a growing gap between perceived resilience and actual performance under stress.
Controls that appear robust on paper can falter rapidly in live conditions, particularly when human behaviour intersects with poorly aligned systems. Organisations must invest in continually developing the capability of the teams responsible for improving security culture.
The debate over whether human factors matter is over. The real question now is whether organisations continue attempting to correct behaviour or redesign the systems that shape it. Because in 2026, resilience is not defined by policies. It is defined by performance under pressure.
Improving security culture is a significant undertaking that requires a coordinated, ongoing, and iterative effort. Organisations that design for reality will be better positioned to operate securely, respond decisively, and sustain enterprise value in an increasingly volatile environment.
| Security Approach | Primary Focus | |
| Traditional / Control-Based | Policies & awareness training | High friction, persistent workarounds, slow adoption. |
| Human-Centric Security | Behavioural design & workflow alignment | Reduced incidents, improved execution, lower operational drag. |
| Human Centric Resilience | Real-world stress-testing & cultural change | 30% fewer incidents, stronger stakeholder trust, regulatory confidence. |
| Board-Level Integration | Operational continuity & enterprise value | Security becomes commercially enabling, not just protective. |
Useful Fallbacks
Improving security culture is a significant undertaking that requires a coordinated, ongoing, and iterative effort. To support this, it is essential to build relationships across teams such as HR, IT, communications, and leadership to foster collaboration and strengthen the overall security culture.
Organisations must invest in continually developing the capability of the teams responsible for improving security culture. Effective human centric security demands a holistic strategy that addresses both technical robustness and behavioural resilience, integrating human behaviour insights and ongoing cyber security education to build a security-conscious workforce.
Organisations that design for reality will be better positioned to operate securely, respond decisively, and sustain enterprise value in an increasingly volatile environment.
