It’s time to retire the tired narrative that employees are the “weakest link” in cybersecurity. They’re not. They’re simply the most frequently targeted. And that makes sense – if you’re a cybercriminal, why brute-force your way into secure systems when you can just trick a human?
And that is why over-relying on technical controls only goes wrong. So is treating users like liabilities to be controlled, rather than assets to be empowered.
One of the core principles of Human Risk Management (HRM) is not about shifting blame, but about enabling better decisions at every level. It’s a layered, pragmatic strategy that combines technology, culture, and behaviour design to reduce human cyber risk in a sustainable way. And it recognises this critical truth: your people can be your greatest defence – if you equip them well.
The essence of HRM is empowering individuals to make better risk decisions, but it’s even more than that. “With the right combination of tools, culture and security practices, employees become an extension of your security programme, rather than just an increased attack surface,” asserts Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 Africa.
A recent IBM study revealed that more than 90% of all cybersecurity breaches can be traced back to human error (https://apo-opa.co/3GGeSBF) due to employees being successfully exploited through phishing scams, their use of weak passwords or non-optimal handling of sensitive data. Companies have long seen the upward trend in this threat, thanks to numerous studies, and subsequently employees are often judged to be the biggest risk companies need to manage. This perspective, though, is denying businesses the opportunity to develop the best defence they could have: empowered, proactive employees at the frontline; not behind it.
Shield users – but also train them through exposure
Of course, the first thing companies should do is protect and shield employees from real threats. Prevention and detection technologies – email gateway filters, endpoint protection, AI-driven analysis – are essential to keeping malicious content from ever reaching user’s inboxes or devices. But here’s the catch: if users are never exposed to threats, they don’t build the muscle to recognise them when they do get through.
Enter the prevalence effect – a cognitive bias which shows that the less frequently someone sees a threat (like a phishing email), the less likely they are to spot it when it finally appears. It’s a fascinating and slightly counterintuitive insight: in trying to protect users too much, we may be making them more vulnerable.
That’s why simulated phishing campaigns and realistic training scenarios are so critical. They provide safe, controlled exposure to common attack tactics – so people can develop the reflexes, pattern recognition, and critical thinking needed to respond wisely in real situations.
Many of today’s threats don’t just rely on tech vulnerabilities – they exploit human attention. Attackers leverage stress, urgency, and distraction to bypass logic and trigger impulsive actions. Whether it’s phishing, smishing, deepfakes, or voice impersonation scams, the aim is the same: manipulate humans to bypass scrutiny.
That’s why a foundational part of HRM is building what I call digital mindfulness – the ability to pause, observe, and evaluate before acting. This isn’t abstract wellness talk; it’s a practical skill that helps people notice deception tactics in real-time and stay in their system (critical thinking mode) instead of reacting on autopilot. Tools such as systems-based interventions, prompts, nudges or second chance reminders are ways to induce this friction to encourage pausing when and if it matters.
“Every day, employees face a growing wave of sophisticated, AI-powered attacks designed to exploit human vulnerabilities, not just technical ones. As attackers leverage automation, AI and social engineering at scale, traditional training just isn’t effective enough.”
Protection requires layered defence
“Just as businesses manage technical vulnerabilities, they need to manage human risk – through a blend of policy, technology, culture, ongoing education, and personalised interventions,” says Collard.
This layered approach extends beyond traditional training. System-based interventions – such as smart prompts, real-time nudges, and in-the-moment coaching – can slow users down at critical decision points, helping them make safer choices. Personalised micro-learning, tailored to an individual’s role, risk profile, and behavioural patterns, adds another important layer of defence.
Crucially, Collard emphasises that zero trust shouldn’t apply only to systems. “We need to adopt the same principle with human behaviour,” she explains. “Never assume awareness. Always verify understanding, and continuously reinforce it.”
To make this concept more accessible, the acronym D.E.E.P., a framework for human-centric defence:
- Defend: Use technology and policy to block as many threats as possible before they reach the user.
- Educate: Deliver relevant, continuous training, simulations, and real-time coaching to build awareness and decision-making skills.
- Empower: Foster a culture where employees feel confident to report incidents without fear of blame or repercussions.
- Protect: Share threat intelligence transparently, and treat mistakes as learning opportunities, not grounds for shame.
“Fear-based security doesn’t empower people,” she explains. “It reinforces the idea that employees are weak points who need to be kept behind the frontline. But with the right support, they can be active defenders—and even your first line of defence.”
Empowered users are part of your security fabric
When people are trained, supported, and mentally prepared—not just lectured at once a year – they become a dynamic extension of your cybersecurity posture. They’re not hiding behind the firewall; they are part of it.
With attacks growing in scale and sophistication, it’s not enough to rely on software alone. Businesses need a human layer that is just as adaptive, resilient, and alert. That means replacing blame culture with a learning culture. It means seeing people not as the problem, but as part of the solution.
Because the truth is: the best defence isn’t a perfect system. It’s a well-prepared person who knows how to respond when something slips through.
“Human behaviour is beautifully complex,” Collard concludes. “That’s why a layered approach to HRM – integrating training, technology, processes and cognitive readiness – is essential. With the right support, employees can shift from being targets to becoming trusted defenders.”
Distributed by APO Group on behalf of KnowBe4.
