The budget is approved. Your security stack is a fortress of best-in-class technology, from next-gen firewalls to AI-powered threat intelligence. On paper, you’re more secure than ever.
So why does the latest incident report still trace back to a moment of human fallibility: a clicked link, a weak password, or a case of social engineering?
If this scenario feels painfully familiar, you’re not alone. The data is stark: 74% of all security breaches involve the human element. We’re so focused on the technology that we’ve forgotten the people using it.
We’re trying to solve a human problem with purely technical solutions, and it’s time for a new approach.
The Missing Piece of Your Security Puzzle: Human Factors Engineering
We readily accept software engineering, network engineering, and information security engineering as critical pillars of our defense. But what about the engineering of the human-system interaction itself? This is the domain of Human Factors Engineering (HFE), a scientific discipline focused on optimizing how people interact with systems to enhance performance and minimize error.
While industries like aviation and healthcare have long embraced HFE to reduce critical mistakes, cybersecurity has been slow to adopt it. This is a massive oversight when you consider the statistics:
-
- 90% of cyber breaches are attributed to human errors.
- Between 70% and 80% of cyber-attacks are the result of human-induced errors.
The truth is, many security incidents aren’t just “human error”; they are systemic failures. We design complex, friction-filled security processes and then blame the end-user when they fail. HFE provides the tools to design systems, policies, and practices that work with human nature, not against it, thereby reducing organizational risk and strengthening your overall security resilience.
The Hidden Toll of Security Fatigue and CISO Burnout
Ignoring the human element doesn’t just lead to breaches; it creates a culture of stress, burnout, and fatigue that actively undermines your security posture. The relentless threat landscape, coupled with a shortage of cybersecurity professionals, is taking its toll.
The C-Suite Under Pressure: The Personal Cost of Cyber Risk
The operational stress in cybersecurity is extensively documented. Constant changes in policies and technology lead to burnout not just in your technical teams, but all the way to the top. Consider this staggering finding from a survey of Chief Information Security Officers (CISOs):
-
- 88% of CISOs report that excessive stress is impacting their mental health.
- An incredible 90% would be willing to take a pay cut just to achieve a better work-life balance.
When your security leaders and frontline defenders are exhausted and overwhelmed, their decision-making suffers, and the risk of error skyrockets. This isn’t a personal failing; it’s a systemic problem that HFE is designed to address by creating more intuitive and less cognitively demanding security operations.
The Educational and Professional Gap
A primary reason for this neglect is a fundamental gap in how we train and staff our teams.
-
- An academic blind spot: A recent analysis showed that most top-tier cybersecurity degree programs do not even offer a human factors course. Many mistakenly treat Human-Computer Interaction (HCI) as a substitute, but HCI is only a small piece of the broader HFE puzzle.
- A missing expert: It is still exceptionally rare to find a human factors professional working within a cybersecurity operations team. This means the very people trained to reduce human-induced friction and vulnerability are absent from the front lines.
How to Engineer a Stronger Human Defense Layer
To truly advance our defenses, we must champion the integration of HFE as a core cybersecurity discipline, with the same rigor we apply to network or software engineering.
Leveraging HFE can dramatically enhance system design, optimize employee performance, and improve security decision-making. It’s about intentionally designing systems to account for human strengths and limitations, rather than hoping humans will adapt to flawed systems. The change must begin with leadership and education.
By advocating for HFE within our organizations and demanding its inclusion in academic curricula, we can begin to train a new generation of cybersecurity professionals who understand that building a resilient organization means putting people at the center of the security equation.
For Further Reading:
The insights in this post are based on the academic article: Nobles, C., & Robinson, N. (2024). The Missing Engineering Discipline in Cybersecurity: Human Factors Engineering. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 68(1), 226–229. https://doi.org/10.1177/10711813241275926
