3 reasons users can’t stop making security mistakes — unless you address them

Risks associated with cybersecurity continue to evolve, but one challenge remains a constant for CISOs: managing human error. Even with advanced solutions and sophisticated protocols in place, employees continue to inadvertently expose sensitive data and systems to cyber threats. 

Verizon’s 2024 Data Breach Investigations Report (DIBR) analyzed a record-high 30,458 security incidents from 2023, including 10,626 confirmed breaches — a two-fold increase over the year prior. Significantly, it found that more than two-thirds (68%) were attributed to the human element. That’s why it’s critical for CISOs to understand what’s behind employee mistakes when they take an action that compromises security.

As Carolin Desirée Toepfer, Cyttraction’s CISO, observes, “What we often forget from a cybersecurity perspective: The people we work with have a completely different background, a different daily routine, and a different approach to technology.” 

With an understanding of the psychological factors influencing their workforce’s behaviors, CISOs may be better equipped to drive real risk awareness and bring about lasting behavioral change. Most come down to one of three primary causes.

1. They don’t understand their role in defending

Despite training efforts, many employees do not fully understand the need to be vigilant as a first line of defense. Instead, they believe cybersecurity is the responsibility of the IT department and become lax about safeguarding data. As Itamar Shalev, a cybersecurity awareness expert, explains, “They are not as careful as they should be about clicking on suspicious links because they trust their company’s security systems to prevent anything harmful from coming through.”

One way to solve this issue is to vary the formats and frequency of security training. Toepfer says doing so will help better convey the importance of consistent vigilance and allow employees to absorb each lesson effectively rather than be overwhelmed with too much at once. “Don’t address the topic once a year or force colleagues to take part in awareness training, but present cybersecurity five to six times in different ways with different links and on different channels,” she says, recommending that specifically targeted videos just 3-15 minutes long be shown to employees every few weeks. 

A related issue is that users can often be reluctant to report a problem because they fear the consequences when they’ve taken an action that puts the company’s security at risk. Such delays in notification extend the time for malicious actors to cause serious damage. According to Verizon’s DBIR, it takes an average of 55 days for organizations to patch critical vulnerabilities, and that time can translate into serious losses, from costly ransomware attacks, to damage to the company’s reputation.

CISOs can address this issue by further fostering a culture where everyone recognizes the essential role they play in maintaining the security of the organization. Instead of contributing to a culture of fear by naming and shaming, CISOs can highlight people who have made smart security decisions and averted risks to serve as role models and turn events into learning experiences.

2. They prioritize convenience over security 

People are naturally inclined to find the fastest possible route at work, and that often translates into taking shortcuts that compromise security for the sake of convenience. Even tech employees are not immune when, for example, importing libraries from public repositories assuming these are safe, as they continue to be used to distribute malware and steal passwords.

To avoid these shortcuts that can threaten systems, CISOs can put automated MFA prompts in place to avoid risks due to compromised passwords and restrict access to services that could put data at risk, including generative AI or downloadable libraries of code. CISOs should provide a list of safe alternatives to free services that the company’s developers can refer to for downloadables that have been scanned and certified to be free of malware. 

3. They suffer from alert fatigue 

Humans tend to go into auto-pilot mode for repetitive tasks and tune out constant alerts, explains cybersecurity advisor Alexandre Blanc. Scammers exploit this by inserting their phishing attempts and other attacks into digital messages that match what employees see all the time. 

While it’s possible to put up alerts on those, a constant flow of notifications creates alert fatigue. Employees learn to tune out the alarms and can come to ignore warnings for a real threat.

Verizon noted in its DBIR, “the most effective controls are typically the ones that leverage the human element along with technical resources.” The good news is that companies are recognizing that fact. Accordingly, Shalev says that many have started to apply “behavioral science techniques such as nudges and reminders to encourage desired security behavior.” Such nudges can prompt employees to pause and evaluate whether digital requests are legitimate before acting — without contributing to alert fatigue.

Blanc recommends giving employees the following three questions to work through: 

1. Why did I get this message or request for information?
2. Did I ask for it? 
3. Can I verify this request through another channel?

Users should use out-of-band communication for verification to deter attacks and scams. Contacting those businesses through a phone number or email previously established as legitimate is a good way to ascertain whether or not the message is authorized by the entity it claims. 

While CISOs can’t eliminate all human risk, they can significantly reduce incidents and promote a cyber-aware culture with a strategy that addresses the psychological drivers behind poor decisions. By forging a transparent, accountability-focused culture, security leaders can foster engaged and informed employees empowered to act as the first line of cybersecurity defense.