Cyber Security and the Human Factor: Maybe you’re the solution?
Posted on Sep 15, 2025 by Laurie IbbsFun fact: If users are considered the “weakest link” in a system, they’re also the most numerous and widely distributed “sensors” and “defenders.”
That paradox sits at the heart of the CyberCAKE project, and it’s exactly why our team came together to bid for the InnovateUK grant which is giving life to this area of research.
Why CyberCAKE?
So what’s driving this effort?
Earlier this year, Richard Unwin, David Lund and I began talking about the missing piece in cybersecurity: human psychology (or maybe behaviour).
We’ve often noticed how reluctant people are to adopt stronger security behaviour, even when they know the risks.
-
In organisations, new frameworks can seem overwhelming, expensive, or time-consuming.
-
At home, good practices like using unique passwords or enabling multi-factor authentication often get ignored.
The result? A contradictory mix of attitudes:
-
“It’ll never happen to me.”
-
“It’s inevitable, so why bother?”
Both outlooks lead to risky behaviour and leave systems vulnerable.
Technology Isn’t Enough
When the chance to bid for an InnovateUK grant came up, we knew this was worth exploring more deeply. Cybersecurity discussions often equate “stronger defence” with “better technology.” And yes, firewalls, detection systems, and encryption keep improving, but the human element is still under explored.
People are often the weakest link. But paradoxically, they’re also the most crucial element in an organization’s defence posture. If we can understand why people resist good advice and how to flip that narrative we can unlock new approaches to security.
What We’re Setting Out to Do
Through a series of workshops, we’ll dig into the psychological and social factors behind cybersecurity behaviours:
-
What makes people click on phishing emails or fall for social engineering?
-
Why do we ignore advice, even when we know better?
-
Can we spot early indicators of behaviour which leads to vulnerability?
-
How can we embed a culture of good practice in information handling?
These are deep questions, and a brief look around any Cybersecurity news outlet will show you we are far from answering them. We also have to admit, that these are all fundamental human questions. A new encryption algorithm cannot save us from flawed decisions made hastily.
Our aim is to develop a model of how people think about and respond to online threats in the ever-evolving tech landscape. We want to develop a program to help create the tools and develop the critical thinking people need to survive in the digital jungle.
What’s Next
I’ll be using this blog to track our progress, share anecdotes from our workshops, and highlight some of the techniques and data analysis methods we’re using along the way.
And because this project is ultimately about people, we’d love to hear from you too:
👉 What's your biggest frustration with online security?
👉 Do you see yourself as cautious, overconfident, or somewhere in between?
👉 Do you see yourself as cautious, overconfident, or somewhere in between?
Drop your thoughts via LinkedIn, use our contact form or send us an email. Your feedback might even help shape our future workshops.
