When employees become the weakest cybersecurity link

Abstract

This teaching case addresses the core challenge of why 95% of internal cybersecurity breaches stem from employee error despite massive technology investments. Leveraging behavioral psychology, and featuring cybersecurity consultants Elsa and Maya, the case analytically structures the problem by identifying and examining four key behavioral factors contributing to breaches: Emotional, Cognitive, Negligence, and Diffused Responsibility. It then presents ‘employee conditioning' as a strategic intervention, requiring students to analyze its ethical and operational perils. Ultimately, the case frames a critical strategic decision: developing a resilient cybersecurity posture through the optimal integration of Human-in-the-Loop (HITL) and Human-Out-of-the-Loop (HOOTL) systems. Students are prompted to move beyond awareness training to design an integrated security mindset that systematically addresses human irrationality and the complex interplay of these behavioral risk factors.

Keywords

teaching case human cybersecurity employee conditioning cybersecurity behaviors cybersecurity behavioral factors cybersecurity defense cybersecurity hygiene

Get full access to this article

View all access options for this article.

References

Datta

(2022) Hannibal at the gates: Cyberwarfare & the Solarwinds sunburst hack. Journal of Information Technology Teaching Cases 12(2): 115–120.

Datta

Acton

(2023) Did a USB drive disrupt a Nuclear Program? A Defense in Depth (DiD) Teaching Case. Journal of Information Technology Teaching Cases 14(2): 311–321. https://doi.org/10.1177/20438869231200284

Datta

Acton

(2025) Promises and perils of generative AI in cybersecurity. MIS Quarterly Executive 24(2): 5.

Datta

Krancher

(2024) Cybersecurity end-user compliance: password management versus update compliance. Information & Management 61(8): 104060. https://doi.org/10.1016/j.im.2024.104060

Datta

Acton

Hughes

(2022) Phantom or menace: user behaviors in cybersecurity. In: Lang

Dowling

Lennon

(eds) Cyber Research Conference Ireland: Multidisciplinary Perspectives on Cybersecurity Research, Practice and Education. Galway, Ireland: IEEE, pp. 6–9.

Jones

Lodinger

Widlus

, et al. (2022) How do non experts think about cyber attack consequences? Information and computer security 30(4): 473–489. https://doi.org/10.1108/ics-11-2020-0184

Kost

(2024) How did the Optus data breach happen? https://www.upguard.com/blog/how-did-the-optus-data-breach-happen, Nov 18. Date Accessed: 31 Jul 2025.

Reeves

Calic

Delfabbro

(2025) How to De-CyFa the actor-observer bias in cybersecurity fatigue: building the CyFa measure of attribution styles and mitigation strategies. Computers & Security 150: 104179. https://doi.org/10.1016/j.cose.2024.104179

StationX (2025) Insider threat statistics: (2025’s Most shocking trends). https://www.stationx.net/insider-threat-statistics/#:∼:text=1.,by_Verizon_in_2023_DBIR, Date Accessed: 1 Aug 2025.

10.

Triplett

(2022) Addressing human factors in cybersecurity leadership. Journal of cybersecurity and privacy 2(3): 573–586. https://doi.org/10.3390/jcp2030029

11.

Yulianto

Soewito

Gaol

, et al. (2025) Enhancing cybersecurity resilience through advanced red-teaming exercises and MITRE ATT&CK framework integration: a paradigm shift in cybersecurity assessment. Cyber Security and Applications 3: 100077.