Sage Journals: Discover world-class research

Abstract

Human factors remain the most critical vulnerability in cybersecurity, with many breaches involving human errors or social engineering. Integrating human factors engineering (HFE) into cybersecurity strategies is crucial for addressing these vulnerabilities and enhancing security resilience. Despite its importance, HFE is not widely recognized as an engineering discipline in cybersecurity, and many educational programs lack dedicated courses on human factors. Academic institutions, cybersecurity professionals, and federal agencies must advocate for incorporating HFE into cybersecurity curricula to prepare professionals with a comprehensive understanding of human behavior and its impact on security, ultimately leading to more robust and resilient cybersecurity practices.

Keywords

cybersecurity human factors human factors engineering human behavior vulnerabilities technology

Introduction

The human element remains the most critical vulnerability in cybersecurity. According to the Verizon Data Breach Investigative Report (2023), 74% of security breaches involve human participation through errors, misuse of privileges, stolen credentials, or social engineering. A joint report by Stanford University and Tessian emphasizes that human errors are primary contributors to cybersecurity incidents, exacerbated by distractions, burnout, stress, fatigue, understaffing, and increased targeting by threat actors. Neglecting human factors engineering (HFE) in cybersecurity strategies significantly heightens organizational risk (Neigel et al., 2020; Wiederhold, 2014).

An educational gap contributes to this issue, with many programs lacking explicit content on human vulnerabilities. Schultz (2005) highlights the shortage of research on human factors in information security, underscoring the need to understand how organizational culture influences employee behavior. Mancuso et al. (2014) stress the importance of human factors practitioners in addressing these challenges. Nobles (2018, 2022a) notes that the complexity of cybersecurity operations often exceeds the capabilities of typical professionals, and decision-makers are reluctant to involve human factors specialists.

Integrating HFE into cybersecurity is essential for managing human-induced errors and maintaining acceptable risk levels (Prabhu & Thompson, 2022). Recognizing HFE as an engineering discipline within cybersecurity can help mitigate human vulnerabilities and improve overall security resilience. The absence of human factors practitioners exacerbates stress, burnout, and security fatigue, undermining cybersecurity effectiveness. Leveraging HFE in cybersecurity practices is crucial for developing effective, practical solutions and enhancing security outcomes (Nobles, 2022a).

Background

Human factors, encompassing the interaction between end-users and systems, extend beyond technological aspects and draw from cognitive psychology and biomechanics to optimize human performance and minimize errors (Bergman, 2012). In cybersecurity, this discipline is crucial for designing systems, policies, and practices that reduce human vulnerability and organizational risk. Human errors and system malfunctions are responsible for 49% of data breaches (Ponemon Institute, 2019), with 90% of cyber breaches attributed to human errors (Chartered Institute of Ergonomics & Human Factors [CIEHF], 2022). Research indicates that 70% to 80% of cyber-attacks result from human-induced errors (Blau et al., 2017; Meshkat et al., 2020). Despite these statistics, cybersecurity education often lacks a focus on human factors. Beach (2014) found that only 2% of cybersecurity programs required a human factors course, and 62% did not offer it. This gap is exacerbated by inadequate support from stakeholders and the complexity of integrating human factors into cybersecurity (Jones et al., 2018; Nobles, 2019, 2022a, 2022b). While high-reliability industries have successfully integrated human factors to improve performance, cybersecurity has not fully adopted these practices, missing opportunities to enhance system design and decision-making (Nobles et al., 2022). Traditional security models often undervalue human factors, relying too heavily on technology and failing to address the psychological aspects of user behavior (Orshesky, 2003; Prabhu & Thompson, 2022). Addressing these gaps requires interdisciplinary research and a consolidated framework for human factors in cybersecurity (Jeong et al., 2019).

Discussion

The Human Factors Definition Conundrum

Human factors, as defined by the Human Factors and Ergonomics Society (n.d.), is a scientific discipline focused on optimizing human interactions with systems through theory, principles, data, and design techniques to enhance performance, behavior, and safety. Understanding human factors is crucial for effective cybersecurity solutions. Nobles (2022a) highlights the importance of integrating human factors into cybersecurity, though its interpretation varies. One definition focuses on negative behaviors impacting security (Nobles, 2022b), while another emphasizes enhancing performance through human factors engineering (Gosbee, 2002). The lack of understanding amongst cybersecurity professionals, coupled with the growing demand for experts, hinders this integration (Nobles, 2019). Academic discourse often focuses on negative behaviors leading to breaches (Jeong et al., 2019; Mohammad et al., 2022; Rahman et al., 2021), neglecting the benefits of human factors. Comprehensive definitions are needed to guide research and practice, facilitating the inclusion of human-centric methods and reducing risks (Nobles, 2022b). Recognizing human factors as a core discipline in cybersecurity aids in addressing and mitigating human-related vulnerabilities.

The Need for Human Factors Engineering in Cybersecurity

Engineering disciplines such as software engineering, information security engineering, network engineering, computer engineering, and cybersecurity engineering are critical for safeguarding an organization’s digital infrastructure. However, Human Factors Engineering (HFE) is not yet regarded as an engineering discipline in cybersecurity despite its broader scope beyond human-computer interaction (HCI) (Nobles, 2022a). The dynamic business environment, increasing reliance on advanced technologies, a shortage of cybersecurity professionals, heightened regulatory demands, and a relentless threat landscape exacerbate security fatigue (Nobles, 2019). Operational stress, fatigue, and burnout are extensively documented (Grier, 2015; Nobles, 2022a), yet these issues remain underemphasized among security executives. Over 80% of security incidents result from human errors, highlighting the need for research on human factors within cybersecurity environments (Nobles, 2018). Challenges include limited access to employees, overreliance on technology, and a knowledge gap in human factors (Dykstra & Paul, 2018). A survey revealed that 90% of Chief Information Security Officers (CISOs) are willing to accept a pay cut to reduce stress, with 88% reporting excessive stress impacting their mental health and work-life balance (Sheridan, 2020). Prolonged stress leads to burnout, affecting both technical and non-technical staff due to constant changes in cybersecurity policies and technology (Kävrestad et al., 2024; Nobles, 2018; 2022a). Understanding and integrating HFE in cybersecurity is crucial for reducing human-induced risks and enhancing overall security resilience.

Factors Impeding Cybersecurity Engineering in Cybersecurity

While the human factors discipline and profession have existed for over 80 years, gaining recognition and value in cybersecurity is too slow. A recent article highlights the variability in existing cybersecurity literature regarding the definition of human factors (Nobles & Burrell, 2024). The extensive variability in defining human factors is problematic and indicates that most do not recognize human factors as scientific, a discipline, and a profession (Nobles & Burrell, 2024). Other domains, such as aviation, healthcare, and industrial safety, leverage human factors to reduce friction around the human element and intentionally design systems to optimize human performance and behavior.

Another alarming issue is the lack of human factors courses taught in cybersecurity programs. Recent analysis determined that most National Centers of Academic Excellence accredited undergraduate and graduate programs do not teach human factors courses (Nobles, 2023). Although some colleges and universities offer courses in human-computer interaction (HCI), these curricula do not encompass the full breadth of human factors engineering. HCI is often mistakenly conflated with human factors engineering, yet they are distinct disciplines.

Most cybersecurity incidents result from systemic failures, often emphasized as human errors. Systemic failures in cybersecurity are undoubtedly human errors; however, without the inclusion of human factors engineering in cybersecurity as an engineering discipline, the problem could potentially worsen.

Industry perpetuates the lack of HFE in cybersecurity, as evident by the paucity of HFE professionals working in cybersecurity operations. As cybersecurity operations grow increasingly complex, the need for HFE is paramount to reducing the friction surrounding end-users in cybersecurity. Cyber threat actors increasingly target end-users’ weaknesses and limitations to gain access to sensitive systems and information. Traditional cybersecurity teams lack human factors expertise to implement practices to reduce friction and human vulnerabilities.

Human Factors Engineering as a Cybersecurity Discipline

Researchers have emphasized the need for mandated guidance in designing effective cybersecurity education and training curricula (Jones et al., 2018). Despite the critical importance of human factors practices, their integration in cybersecurity remains limited. Colleges and universities are pivotal in driving this change by fostering scholarly research, forming partnerships, and developing specialized curricula (Nobles et al., 2022). Although research on human factors in cybersecurity is increasing, including human factors practitioners in cyber operations is still rare. Leveraging Human Factors Engineering (HFE) could significantly enhance system design, optimize employee performance, reduce errors, and improve security decision-making. However, the cybersecurity industry often overlooks human factors, attributing breaches to human error without integrating HFE principles into frameworks and standards. Academia must advocate for and incorporate HFE into cybersecurity programs to prepare professionals with a comprehensive understanding of human behavior and its impact on security, ultimately leading to more robust and resilient cybersecurity practices (Jones et al., 2018; Nobles et al., 2022).

Conclusion

Colleges and universities serve as pivotal institutions for educating industry, academic, and government leaders on the critical importance of human factors engineering in cybersecurity (Nobles et al., 2022). Through rigorous scholarly research, strategic partnerships with government and industry, and the development of comprehensive human factors curricula, academic institutions have the potential to influence business decision-makers profoundly (Nobles et al., 2022). By emphasizing the integration of human factors engineering with the same rigor and commitment typically reserved for cybersecurity, software, and network engineering, academia can drive the adoption of human factors engineering in cybersecurity.

Footnotes

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Calvin Nobles

References

Beach

S. K

. (2014). Usable cybersecurity: Human factors in cybersecurity education curricula. National Cybersecurity Institute Journal, 1(1), 5–15.

Bergman

(2012). Introduction to human factors. Journal of Diabetes Science and Technology, 6, 229–230.

Blau

Alhadeff

Stern

Stinson

Wright

Chartered Institute of Ergonomics and Human Factors (CIEHF). (2022, March 16). The role of human factors in delivering cyber security: An overview for cybersecurity decision-makers (White Paper). https://ergonomics.org.uk/resource/the-role-of-human-factors-in-delivering-cyber-security.html

Dykstra

Paul

C. L.

(2018). Cyber Operations Stress Survey (COSS): Studying fatigue, frustration, and cognitive workload in cybersecurity operations [Paper presentation]. 11th USENIX Workshop on Cyber Security Experimentation and Test CSE, 18.

Gosbee

(2002). Human factors engineering and patient safety. Quality and Safety in Health Care, 11(4), 352–354.

Grier

R. A.

(2015). How high is high? A meta-analysis of NASA-TLX global workload scores. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 59(1), 1727–1731.

Human Factors and Ergonomics Society. (n.d). What are human factors and ergonomics? https://www.hfes.org/About-HFES/What-is-Human-Factors-and-Ergonomics

Jeong

Mihelcic

Oliver

Rudolph

(2019, December). Towards an improved understanding of human factors in cybersecurity [Conference session]. 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC) (pp. 338–345). IEEE.

10.

Jones

K. S.

Namin

A. S.

Armstrong

M. E.

(2018). The core cyber-defense knowledge, skills, and abilities that cybersecurity students should learn in school: Results from interviews with cybersecurity professionals. ACM Transactions on Computing Education (TOCE), 18(3), 1–12.

11.

Kävrestad

Rambusch

Nohlberg

(2024). Design principles for cognitively accessible cybersecurity training. Computers & Security, 137, 103630.

12.

Mancuso

V. F.

Strang

A. J.

Funke

G. J.

Finomore

V. S.

(2014). Human factors of cyber attacks: A framework for human-centered research. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 58(1), 437–441.

13.

Meshkat

Miller

R. L.

Hillsgrove

King

(2020, January). Behavior modeling for cybersecurity [Symposium]. 2020 Annual Reliability and Maintainability Symposium (RAMS) (pp. 1–7). IEEE.

14.

Mohammad

Hussin

N. A. M.

Husin

M. H.

(2022). Online safety awareness and human factors: An application of the human ecology theory. Technology in Society, 68, 101823.

15.

Neigel

A. R.

Claypoole

V. L.

Waldfogle

G. E.

Acharya

Hancock

G. M.

(2020). Holistic cyber hygiene education: Accounting for the human factors. Computers & Security, 92, 101731.

16.

Nobles

(2018). Botching human factors in cybersecurity in business organizations. Holistica–Journal of Business and Public Administration, 9(3), 71–88.

17.

Nobles

(2019). Establishing human factors programs to mitigate blind spots in cybersecurity [Conference session]. MWAIS 2019 Proceedings, 22.

18.

Nobles

(2022a). Stress, burnout and security fatigue in cybersecurity: A human factors problem. Holistica Journal of Business and Public Administration, 13(1), 49–72.

19.

Nobles

(2022b, March). The Dunning-Kruger Effect around human factors in cybersecurity. Top Cyber News Magazine. https://www.linkedin.com/company/topcybernews/

20.

Nobles

(2023). Human factors in cybersecurity: Academia’s missed opportunity [Conference session]. MWAIS 2023 Proceedings, 8. https://aisel.aisnet.org/mwais2023/8

21.

Nobles

Burrell

(2024). Exploring the variability of human factors definitions in cybersecurity literature [Conference session]. MWAIS 2024 Proceedings, 28. https://aisel.aisnet.org/mwais2024/28

22.

Nobles

Robinson

Cunningham

(2022, September). Straight from the human factors professionals’ mouth: The need to teach human factors in cybersecurity [Conference session]. Proceedings of the 23rd Annual Conference on Information Technology Education (pp. 157–158). IEEE.

23.

Ponemon Institute. (2019). Cost of a data breach report [Computer software]. IBM Security.

24.

Prabhu

Thompson

(2022). A primer on insider threats in cybersecurity. Information Security Journal: A Global Perspective, 31(5), 602–611.

25.

Orshesky

C. M

. (2003). Beyond technology–the human factor in business systems. Journal of Business Strategy, 24(4), 43–47.

26.

Rahman

Rohan

Pal

Kanthamanon

(2021, June). Human factors in cybersecurity: A scoping review [Conference session]. The 12th International Conference on Advances in Information Technology (pp. 1–11).

27.

Schultz

(2005). The human factor in security. Computers & Security, 24, 425–426.

28.

Sheridan

(2020). 90% of CISOs would pay for better work-life balance. DarkReading.com. Retrieved June 6, 2020, from https://www.darkreading.com/risk/90–of-cisos-would-cut-pay-for-better-work-life-balance/d/d-id/1336995

29.

Verizon. (2023). Data Breach Investigations Report 2023. Retrieved from https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/

30.

Wiederhold

B. K.

(2014). The role of psychology in enhancing cybersecurity. Cyberpsychology Behavioral Social Networking, 17(2), 1–2. https://doi.org/10.1089/cyber.2014.1502

The Missing Engineering Discipline in Cybersecurity: Human Factors Engineering

Abstract

Keywords

Introduction

Background

Discussion

The Human Factors Definition Conundrum

The Need for Human Factors Engineering in Cybersecurity

Factors Impeding Cybersecurity Engineering in Cybersecurity

Human Factors Engineering as a Cybersecurity Discipline

Conclusion

Footnotes

Declaration of Conflicting Interests

Funding

ORCID iD

References