Celeste Meraz-Luna

Charles E. Kirkpatrick

CYSE200T 25962

Mar 31, 2025

The Human Factor in Cybersecurity

In cybersecurity, organizations must strategically allocate resources between training employees and investing in technology to mitigate cyber threats. As a Chief Information Security Officer (CISO) operating with a limited budget, it becomes very challenging to find an optimal balance that maximizes protection while ensuring cost-effectiveness. Drawing insights from Shoshitaishvili Yan et al. (2014) and Smeraldi & Malacaria (2014), this write-up will explore the risk-reward approach to cybersecurity investment, emphasizing the importance of training, technology, and incident response planning.

Shoshitaishvili Yan et al. (2014) highlights that organizations must weigh the probability and impact of cyber threats against the cost of mitigation strategies. Over-investing in security can lead to diminishing business efficiency, while under-investing leaves organizations vulnerable to costly breaches. Similarly, Smeraldi & Malacaria (2014) introduce game-theoretic models for cybersecurity investment, arguing that the most effective strategy considers both risk reduction and financial constraints. By applying these principles, an organization can develop a balanced and cost-effective cybersecurity strategy.

On of the most cost-effective ways to reduce cyber risks is through employee training. Human error remains a leading cause of security breaches, with phishing, weak passwords and social engineering attacks being major threats. According to Shoshitaishvili et al., training programs offer a high reward at a relatively low cost, making them a valuable investment. Training programs should include regular security training to educate employees on recognizing phishing attempts and practicing strong password hygiene. Another way to train is to assess employee vulnerabilities and reinforce learning by running a simulated cyber-attack like a phishing test. Also, role-based training for IT staff, executives, and general employees ensures targeted knowledge based on their responsibilities. By equipping employees with cybersecurity awareness, organizations can significantly reduce attack success rates while minimizing reliance on expensive security technologies.

While training addresses human vulnerabilities, technical defenses remain essential in mitigating cyber threats. As noted by Shoshitaishvili et al., the likelihood and impact of attacks vary, requiring a targeted investment in critical security technologies. Smeraldi & Malacaria’s (2014) optimizations model supports this by suggesting that investments should prioritize high-impact, cost-effective security solutions. Technology investments should include an endpoint detections and response (EDR) & Antivirus solutions to protect devices from malware and ransomware. To prevent unauthorized access, multi-factor authentication could become a useful investment to address one of the most common cyberattacks methods. A Security Information and Event Management (SIEM) system for continuous monitoring and detection of suspicious activities. Also an automated data backup & recovery solution to ensure business continuity in case of ransomware attacks. These technologies could help organizations automate threat detections and mitigation, reducing the burden on IT teams while enhancing overall security resilience.

While training and technology serve as preventative measures, organizations must also prepare for inevitable security incidents. Smeraldi & Malacaria (2014) emphasize the importance of post-attack strategies, as a well-structured response plan can significantly minimize damage and recovery costs. A portion of the cybersecurity budget should be allocated to developing and testing incident response plans to ensure quick and effective reactions to cyber threats. To enforce security best practices across the organization, regular policy updates should be implemented. Also conducting tabletop exercises to simulate real-world attack scenarios and improve response capabilities. By focusing on preparedness, organizations can reduce the financial and reputational impact of cyber incidents, aligning with the principles of cost-effective risk management.

In cybersecurity, applying the right balance training and technology investment is crucial. By applying the risk-reward models from Shoshitaishvili et al. (2014) and Smeraldi & Malacaria (2014), organizations can optimize their cybersecurity budgets, ensuring maximum protection with minimal expense. Training employees provides a high-impact, low-cost defense, while cybersecurity technology strengthens automated protection. Additionally, incident response planning ensures rapid recovery from cyberattacks. Ultimately, a strategic and data-driven approach to cybersecurity investment allows organizations to minimize risks, maintain operational efficiency, and safeguard critical assets without overspending.

Sources

Shoshitaishvili, Yan, et al. “Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security.” Proceedings of the 29th Annual ACM Symposium on Applied Computing. 2014.

Smeraldi, Fabrizio, and Pasquale Malacaria. “How to spend it: optimal investment for cyber security.” Proceedings of the 1st International Workshop on Agents and CyberSecurity. 2014.