The Human Factor in Cybersecurity

Jessica L. Lewison
Old Dominion University
CYSE 200T: Cybersecurity – Technology – Security
Professor Chris Bowman
November 16, 2025

If I were acting as a Chief Information Security Officer with a limited budget, I would prioritize training my staff above all else. Research indicates that the majority of cybersecurity incidents involve human error. Technology is important, but it is ineffective if the people using the systems do not understand the threats. Strong security tools cannot fully protect an organization if employees are not trained properly (Verizon, 2023).


Instead of relying on once a year type training modules, I would focus on short sessions that involve real life examples as well as scenario based exercises. These could include demonstrations of social engineering tactics, phishing simulations as well as password practices. People have the tendency to retain information better when they can connect real world examples to their training. These methods are also cost effective when you compare the financial damage that can be caused by a cyber incident. After prioritizing training, I would use the remaining funds for high value technologies such as endpoint protection, password managers and multi-factor authentication.


Overall, I would invest more in people and then use remaining funds to strengthen the organization’s technological foundation. When employees understand their role in cybersecurity, every security tool becomes more effective.


Sources
Verizon. (2023). 2023 Data breach investigations report. Verizon Enterprise Solutions.
http://www.verizon.com/business/resources/reports/dbir