What is it about?
This paper looks at why people, not just technology, are often the weakest link in cybersecurity. Many cyberattacks today, such as phishing emails or scams over chat platforms, succeed because they exploit human behavior, emotions, and decision-making rather than breaking through technical defenses. To understand this better, we studied real cases of social engineering attacks and collected survey responses from more than 200 people about their knowledge and experiences with these threats. The results showed that many individuals still lack awareness of how easily they can be manipulated and that both human behavior and technical systems play a role in security breaches. Based on these findings, we propose a new framework that combines technical measures (like multi-factor authentication and anomaly detection) with human-focused solutions (like training, awareness, and reporting systems). By balancing these two sides, organizations can create stronger protection against modern cyber threats that target people as much as machines
Featured Image
Photo by Jefferson Santos on Unsplash
Why is it important?
Cyberattacks are increasingly targeting people rather than just systems, making human behavior one of the most critical vulnerabilities in cybersecurity. While many studies focus only on technical defenses, our work is unique because it combines real-world survey data with a review of existing frameworks to propose a balanced approach that integrates human and technical solutions. This is timely as social engineering attacks, such as phishing, impersonation, and business email compromise, are rising sharply and causing billions of dollars in losses worldwide. Our study highlights the urgent need to address the human side of security, not just technology. By introducing a practical framework that organizations of any size can adopt, this work provides a new way to strengthen defenses, reduce risk, and improve resilience against modern cyber threats
Perspectives
Writing this article has been a very rewarding journey, especially as it brought together technical and human aspects of cybersecurity that are often treated separately. For me, this work is not just about proposing a new framework but about raising awareness that people are at the center of security, both as potential vulnerabilities and as the strongest line of defense. I hope this publication encourages readers, whether from academia, industry, or the general public, to reflect on the role of human behavior in shaping cybersecurity outcomes. More than anything, I would like this work to spark conversations about creating a culture of security that goes beyond technical fixes and empowers individuals to be active participants in protecting information.
Ahmad Sahban Rafsanjani
Sunway University
Read the Original
This page is a summary of: Human Factors in Information Security: A Quantitative Study with Technical Solutions to Prevent Social Engineering Attacks, Digital Threats Research and Practice, December 2025, ACM (Association for Computing Machinery),
DOI: 10.1145/3767320.
You can read the full text:
Resources
Contributors
The following have contributed to this page
