The Human Element in Cyber Security: Managing Risk and Cultivating a Science-Based Security Culture

The modern digital enterprise faces an escalating cybersecurity challenge, with recent analyses indicating that seventy four percent of breaches originate from human factors such as error, negligence, or insider activity. This pattern confirms the limitations of traditional awareness training models that focus mainly on information delivery rather than scientifically measurable behavioural change. Building on contemporary human risk research and recent findings that demonstrate a persistent intention behaviour gap, this study argues that human fallibility must be addressed through both cultural and technical controls. Drawing on NIST SP 800 50 and advanced Human Risk Management frameworks, the paper promotes a life cycle approach to awareness, training, and cultural assessment that measures security culture across seven validated dimensions, providing a more meaningful alternative to superficial compliance metrics. To compensate for unavoidable human error, the framework adopts Zero Trust architecture as the foundational technical safeguard, supported by Just in Time access and automated cloud configuration enforcement as recommended in NIST SP 800 207. These controls eliminate standing privileges and reduce the attack surface created by risky human behaviour. The study synthesises programme structure, empirical evidence, and technical design into an integrated framework that public sector and resource constrained organisations can adopt to achieve verifiable and sustainable reductions in human centred security risk. Future research should empirically test this integrated model by measuring changes in observed security behaviour and incident rates after Zero Trust implementation and workload informed intervention.

Human Risk Management, Security Culture, Zero Trust, Phishing Behaviour, Workload Compliance, JIT Access

1. Ajzen I. The theory of planned behaviour. Organ Behav Hum Decis Process. 1991;50(2):179-211. doi:10.1016/0749-5978(91)90020-T [Google Scholar] [Crossref]

2. Cano JJM. The human factor in information security. ISACA J. 2019 Oct 9 [cited 2025 Nov 30]. Available from: https://www.isaca.org/resources/isaca-journal/issues/2019/volume-5/the-human-factor-in-information-security [Google Scholar] [Crossref]

3. Hadlington L. Human factors in cybersecurity: Examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon. 2017;3(7):e00346. doi:10.1016/j.heliyon.2017.e00346 [Google Scholar] [Crossref]

4. Verizon. 2025 Data Breach Investigations Report (DBIR). Verizon Business; 2025 [cited 2025 Nov 30]. Available from: https://www.verizon.com/business/resources/reports/dbir/ [Google Scholar] [Crossref]

5. NIST. NISTIR 8272: Cybersecurity Framework Profile for Hybrid Satellite Networks. National Institute of Standards and Technology; 2024. [Google Scholar] [Crossref]

6. HubSpot. A comprehensive guide to preventing cloud misconfiguration [Internet]. HubSpot; 2024 [cited 2025 Nov 30]. Available from: https://www.hubspot.com/cloud-security/misconfiguration [Google Scholar] [Crossref]

7. Humanize. Zero trust security model explained: Principles, architecture, benefits [Internet]. Humanize; 2023 Nov 15 [cited 2025 Nov 30]. Available from: https://humanize.security/zero-trust [Google Scholar] [Crossref]

8. Jalali MS, Bruckes M, Westmattelmann D, Schewe G. Why employees (still) click on phishing links: Investigation in hospitals. J Med Internet Res. 2020;22(1):e16775. doi:10.2196/16775 [Google Scholar] [Crossref]

9. Modi C, Patel D, Borisaniya B, Patel A, Rajarajan M. A survey on security issues and solutions at different layers of cloud computing. J Supercomput. 2013;63(2):561-592. doi:10.1007/s11227-012-0831-5 [Google Scholar] [Crossref]

10. North RA. Government best practices in system usability: A brief history and status [Internet]. Human Centered Strategies, LLC; n.d. [cited 2025 Nov 30]. [Google Scholar] [Crossref]

11. Reason J. Human error. Cambridge: Cambridge University Press; 1990. [Google Scholar] [Crossref]

12. Roer K, Petrič G. To measure security culture: A scientific approach [Internet]. CLTRe; 2018 [cited 2025 Nov 30]. Available from: https://cltre.com/security-culture-measurement [Google Scholar] [Crossref]

13. Rose A. What is Just-in-Time Access? A complete guide [Internet]. Securden; 2024 Sep 6 [cited 2025 Nov 30]. Available from: https://www.securden.com/just-in-time-access [Google Scholar] [Crossref]

14. Sjouwerman S. Human Risk Management: Strategies to fortify your organisation's defence. Forbes. 2025 Jun 10 [cited 2025 Nov 30]. Available from: https://www.forbes.com/human-risk-management [Google Scholar] [Crossref]

15. Stanton NA. Human factors in security: What have we learned? Applied Ergonomics. 2014;45(2):452-458. doi:10.1016/j.apergo.2013.05.007 [Google Scholar] [Crossref]

16. Teramind. Insider threat vs. insider risk: What's the difference? [Internet]. Teramind; 2024 May 3 [cited 2025 Nov 30]. Available from: https://www.teramind.co/blog/insider-threat-vs-risk [Google Scholar] [Crossref]

17. usecure. The role of human error in successful cyber security breaches [Internet]. usecure; n.d. [cited 2025 Nov 30]. Available from: https://www.usecure.io/blog/human-error-cyber-breaches [Google Scholar] [Crossref]

18. Wilson M, Hash J. Building an information technology security awareness and training program (NIST Special Publication 800-50). National Institute of Standards and Technology; 2003. [Google Scholar] [Crossref]

19. NIST. SP 800-53 Rev. 5: Security and privacy controls for information [Google Scholar] [Crossref]

• “Next-Generation Cybersecurity Through Blockchain and AI Synergy: A Paradigm Shift in Intelligent Threat Mitigation and Decentralised Security”
• Forensic Payroll Analytics for IPPIS: A Hybrid Anomaly-Detection Framework to Expose Payroll Fraud, Improve Data Governance, and Protect Employee Rights
• Factors Influencing Data Protection on Global Trade
• Development Of Artificial Intelligence-Based Model for Forensic Analysis of Cross-Platform Deepfakes
• Cyber Threats and Nigeria’s National Security: Assessing the Role of Regional Cooperation in West Africa