The Human Element in Cyber Security: Managing Risk and Cultivating a Science-Based Security Culture

Abstract

The modern digital enterprise faces an escalating cybersecurity challenge, with recent analyses indicating that seventy four percent of breaches originate from human factors such as error, negligence, or insider activity. This pattern confirms the limitations of traditional awareness training models that focus mainly on information delivery rather than scientifically measurable behavioural change. Building on contemporary human risk research and recent findings that demonstrate a persistent intention behaviour gap, this study argues that human fallibility must be addressed through both cultural and technical controls. Drawing on NIST SP 800 50 and advanced Human Risk Management frameworks, the paper promotes a life cycle approach to awareness, training, and cultural assessment that measures security culture across seven validated dimensions, providing a more meaningful alternative to superficial compliance metrics. To compensate for unavoidable human error, the framework adopts Zero Trust architecture as the foundational technical safeguard, supported by Just in Time access and automated cloud configuration enforcement as recommended in NIST SP 800 207. These controls eliminate standing privileges and reduce the attack surface created by risky human behaviour. The study synthesises programme structure, empirical evidence, and technical design into an integrated framework that public sector and resource constrained organisations can adopt to achieve verifiable and sustainable reductions in human centred security risk. Future research should empirically test this integrated model by measuring changes in observed security behaviour and incident rates after Zero Trust implementation and workload informed intervention.