In the increasingly complex cybersecurity landscape, human behaviour plays a critical role in the efficacy of security measures within organisations. This article explores the integration of Human–Centred Cybersecurity (HCC), also known as usable security, practices through the concepts of usability, education, and user engagement in security training programmes to alleviate cybersecurity-induced friction. Additionally, it examines the role of organisational behaviour in shaping cybersecurity, proposing a roadmap that systematically integrates human factors into cybersecurity strategy. By treating employees not just as potential vulnerabilities but as strategic assets, organisations can build robust cyber defences grounded in culture, awareness, and behaviour modification.
HCC emphasises operational feasibility, advocating for training programmes like Security Education, Training, and Awareness (SETA) that adapt to individual learning styles and roles, thereby fostering a culture of cybersecurity awareness. Some strategies to increase cybersecurity compliance include personalised training via hybrid interaction systems and gamification, and a redefinition of employees ‘roles within an environment to shift to a security culture. This paper advocates for continuous evaluation and a multidimensional framework that incorporates human factors, aiming to enhance Cybersecurity Culture (CSC) within organisations.
How human-centred cybersecurity (HCC) training fosters organisational cybersecurity cultures (CSC)
Since the early 1900s, the study of humans within the workplace has been a topic of many psychologists. This is called Industrial Organisational Psychology (I/O psychology). A large part of this subdivision of psychology has focused on leadership, training, stress, performance, recruitment, and teams. Recently, the topic of culture has come to light within the workplace and this section of psychology. Culture is the ‘system in which individuals share meanings and common ways of viewing events and objects’ (Conte & Landy, 2019). When culture moves into the workplace and the members of an organisation, it is seen as organisational culture. Organisational culture is significant for many reasons; these can include increased satisfaction, commitment, and engagement, as well as cohesive values and behaviours. The main factors in fostering an organisational culture are structure, leadership, vision, mission, environment, and communication (Chalmers, 2023).
Within an organisational culture, there are also subcultures. One of these subcultures is the organisational cybersecurity culture (CSC). CSC is the combined attitudes, norms, assumptions, and values within an organisation regarding cybersecurity, and further how that affects people’s behaviour towards security (inclusive of information security and security culture). When building a CSC, several key gears need to be considered. These include mindset, leadership, training and awareness, performance management, and technical and policy reinforcement (NICE, 2018). Additionally, with the rapidly changing and ever-adapting threat landscape, this concept is more vital than ever.
These cultures may be a second thought for many organisations, but they are incredibly important to maintain a robust cybersecurity system and framework. Along with other cultures, the CSC impacts the effectiveness and the deployment of resources that support the organisation’s policy (Choudhry et al., 2007). Without the change in mindset to support the protective efforts, behaviours towards new systems will lack shine and be less supportive of the goal. According to Herath & Rao (2009), the positive attitude towards security policy has a significant effect on response efficacy and will significantly decrease the chance that a cyber-attack is successful (Willie, 2023). When put into practice, Liberty Mutual, through continuous learning and a strengthened belief and values system, created a culture of Organisational Citizenship Behaviours (OCB) where any perceived attacks are reported or responded to accordingly with utmost accuracy (Huang & Pearlson, 2019).
The organisational culture, either cybersecurity-based or not, tends to increase the number of OCBs. OCBs are actions that individuals take, outside of their defined job tasks, of their own will. They are commonly categorised into seven types. These include ‘helping behaviours, sportsmanship, organisational loyalty, organisational compliance, individual initiative, civic virtue, and self-development’ (Pickford, 2024). Increasing Organisational Citizenship Behaviour regarding Security (OCB-S) decreases non-malicious Counterproductive Computer Security Behaviours (CCSB) (computer use that goes against the organisation’s values) as civic virtue and helping increases participation through the social exchange in clearly defined roles, and rises organisational safety as a sense of belonging increases (Ifenedo, 2015; Turel, 2017).
The human firewall concept: A roadmap to cybersecurity rooted in organisational behaviour
In today’s digital age, cybersecurity threats are evolving with alarming sophistication, targeting organisations of all sizes and sectors. Traditional cybersecurity measures, such as firewalls, antivirus software, and intrusion detection systems, while critical, are insufficient on their own. A growing body of evidence highlights the importance of the human element in cybersecurity frameworks-the ‘human firewall’. This concept entails leveraging organisational behaviour insights to empower employees as the first and most effective line of defence against cyber threats.
The ‘human firewall’
Referring to the collective ability of an organisation’s workforce to detect, prevent, and respond to cyber threats through informed and secure behaviours. Some of Core elements include; Awareness and Knowledge – understanding common cyber threats and recognising suspicious signs, Vigilance and Skepticism – adopting a cautious approach to unsolicited communications and unusual requests, Responsibility and Accountability – ownership of security duties and consequences for risky behaviour, Trust and Cooperation – building interdepartmental and hierarchical trust to ensure effective threat reporting, Resilience and Adaptability – ability to recover from cyber incidents and learn from errors.
Building the human firewall: A roadmap to cybersecurity rooted in organisational behaviour
This section outlines practical steps organisations can take to cultivate a human firewall through organisational behaviour practices as follows:
Challenges Vs implementation.
Some of the key challenges that could appear against the implementation process are:
The future of the human firewall in cybersecurity
Looking ahead, the increasing integration of AI and machine learning will augment human firewalls but cannot replace them. Cybersecurity frameworks must evolve to further personalise awareness, use behavioural data ethically, and foster deeper employee engagement. Emphasising organisational behaviour remains key to sustaining robust cybersecurity in an ever-changing threat landscape.
Conclusion
Cyber-attacks such as phishing, social engineering, ransomware, and insider threats exploit human vulnerabilities rather than merely technological weaknesses. According to studies, a significant percentage of data breaches occur due to human error, such as clicking on misconfigured links, weak passwords, or insecurely handling sensitive data. Thus, the human component is both a critical risk and a potential strength.
Cybersecurity is not just a technical discipline but a socio-technical one. Behavioural patterns dictate how employees interact with IT systems. Human errors are often symptoms of organisational culture gaps, inadequate training, or unclear policies. Understanding the psychological and social dimensions of employee behaviour is essential to proactively designing cybersecurity initiatives that resonate on a human level.
The human firewall is not a single tool or policy but a dynamic, continuous process rooted in organisational behaviour. By fostering a cybersecurity culture that motivates, educates, supports, and holds employees accountable, organisations can turn their workforce into their strongest defence. This roadmap provides a strategic approach for leaders who recognise that cybersecurity begins with people-and that empowering them is the ultimate security investment.
About the Writer:
Lt Col Chinthaka Dharmapriya Perera is a Military Research Officer at the Institute of National Security Studies, established and functioning under the Ministry of Defence. The options expressed are his own and not reflective of the Institute or Ministry of Defence.