A Human-Centric Imperative: Reimagining Cybersecurity Awareness in the Year Ahead

Introduction: A Personal and Professional Call to Action

As we step into a new year, my commitment to cybersecurity awareness feels both deeply personal and professionally urgent. For years, the dominant narrative in cybersecurity has framed people as the problem, the so-called “weakest link.” Yet mounting evidence, lived experience, and interdisciplinary research tell a very different story: people are not the liability in cybersecurity; they are its greatest, and most underutilized, strength.

My yearning for the year ahead is simple in principle but ambitious in practice, to help advance a more human-centric approach to cybersecurity awareness. One that respects human cognition, behaviour, emotions, and social context. One that moves us away from blame and compliance theatre, and toward empowerment, resilience, and shared responsibility. This article is both a reflection and a call to action for organizations, practitioners, and leaders who recognize that sustainable security outcomes depend on understanding and supporting the humans at the heart of our digital systems.

The Limits of a Technology-First Cybersecurity Paradigm

Traditional cybersecurity strategies have overwhelmingly prioritized technical controls: firewalls, intrusion detection systems, endpoint protection, and increasingly, artificial intelligence-driven tools. While these controls are necessary, they are not sufficient. Decades of breach data consistently demonstrate that a significant proportion of cyber incidents involve a human element, whether through social engineering, error, misuse, or systemic design failures (Colabianchi et al., 2025).

Yet too often, the response to this reality has been to double down on restrictive policies, punitive controls, and generic awareness training that assumes rational, fully attentive users operating in ideal conditions. This approach ignores a critical truth: humans do not fail in isolation. Human actions are shaped by workload, cognitive fatigue, organizational culture, system design, and competing priorities (Khadka & Ullah, 2025). This is further reinforced by the Verizon Data Breach Investigations Report (DBIR) 2025, which found that 67% of breaches involved a human element, underscoring the persistent and central role of human behaviour in real-world cyber incidents (Verizon, 2025).

When security controls are misaligned with how people actually work, think, and decide, they create friction, fatigue, and disengagement. Over time, this not only erodes security posture but also damages trust between employees and security teams. A purely technical lens cannot account for these dynamics. What is needed instead is a socio-technical and human-centric reorientation of cybersecurity awareness. 

Reframing the Human Role: From Vulnerability to Capability

A growing body of research challenges the notion of humans as inherent security liabilities. Colabianchi et al. (2025), through a Delphi study of cybersecurity experts, emphasize that human factors should be understood as sources of resilience rather than merely risk. Their work identifies managerial and organizational actions, such as reducing cognitive fatigue, balancing workloads, clarifying roles, and fostering continuous learning as central to improving cybersecurity outcomes.

This shift in framing is profound. It moves us away from asking, “How do we control human behaviour?” toward asking, “How do we design systems, cultures, and learning experiences that enable secure behaviour?” In this view, errors are not moral failings but signals of misalignment between people and the systems they are expected to operate.

Human-centric cybersecurity awareness recognizes that individuals want to do the right thing. Most employees do not intend to put their organizations at risk. However, intention alone is insufficient when security expectations conflict with usability, productivity, or psychological realities. Empowering people means designing security practices that fit naturally into workflows and respect human limitations.

Cognitive Load, Fatigue, and the Reality of Modern Work

One of the most underappreciated factors in cybersecurity awareness is cognitive load. Modern digital work environments demand constant attention-switching, rapid decision-making, and continuous learning. When security adds additional layers of complexity, frequent password changes, dense policies, excessive alerts it contributes to cognitive fatigue (Colabianchi et al., 2025).

Research shows that fatigue and stress significantly increase the likelihood of errors and risky behaviour, particularly under time pressure (Khadka & Ullah, 2025). From a human-centric perspective, awareness programs must therefore go beyond knowledge transfer. They must account for how much cognitive capacity people realistically have and prioritize simplicity, clarity, and relevance.

This has practical implications. Fewer, more meaningful security messages are often more effective than constant reminders. Training should focus on high-risk moments, such as handling unexpected requests or anomalies, rather than abstract rules. Just as importantly, organizations must examine whether their own structures and expectations are inadvertently creating the conditions for human error.

 Awareness as Culture, Not Campaign

Cybersecurity awareness is frequently treated as an annual checkbox exercise: a mandatory course, a phishing simulation, a policy acknowledgment. While these activities may satisfy compliance requirements, they rarely result in sustained behavioural change. Human-centric research consistently points to organizational culture as a decisive factor in cybersecurity effectiveness (Colabianchi et al., 2025; Khadka & Ullah, 2025).

A strong cybersecurity culture is one in which security is visibly valued, openly discussed, and psychologically safe. Employees feel comfortable reporting mistakes or suspicious activity without fear of blame or punishment. Leaders model secure behaviours and communicate why security matters, not just to the organization, but to individuals and society.

Encouraging peer learning and feedback is particularly powerful. When people learn from one another’s experiences, security becomes a shared social norm rather than an imposed rule. This aligns with socio-technical systems theory, which emphasizes that security emerges from the interaction between people, processes, and technology, not from any single component in isolation.

The Ethical and Societal Dimensions of Human-Centric Security

Human-centric cybersecurity is not only an organizational concern; it is also a societal and ethical one. The Security of Self (Laidlaw & Martin-Bariteau, 2025) argues that cybersecurity must ultimately be understood as the protection of people, not just data or infrastructure. This perspective expands the scope of cybersecurity to include dignity, autonomy, psychological well-being, and freedom from harm.

From this standpoint, practices such as victim-blaming after breaches, overly intrusive monitoring, or manipulative security designs undermine the very security they claim to protect. A human-centric approach instead emphasizes harm reduction, empowerment, and respect for individual rights.

This is particularly relevant as emerging technologies, such as artificial intelligence, immersive environments, and pervasive data collection, reshape how people interact with digital systems. Awareness efforts must help individuals understand not only how to comply with security requirements, but how to protect their own sense of self, agency, and privacy in increasingly complex digital ecosystems.

Training for Behaviour Change, Not Just Knowledge

Another critical insight from recent research is that awareness does not automatically translate into action. Knowing what to do is not the same as being able to do it under real-world conditions. Khadka and Ullah (2025) highlight the importance of adaptive, experiential, and psychologically informed training approaches that align with how adults learn and make decisions.

Gamified learning, scenario-based exercises, and just-in-time guidance can help bridge the gap between knowledge and behaviour. Equally important is acknowledging emotional and social factors, such as fear, urgency, authority, and trust, that attackers routinely exploit. Effective awareness programs address these realities head-on, equipping people with strategies to pause, reflect, and seek support when something feels wrong.

Crucially, organizations must invest in dedicated roles and resources for cybersecurity awareness. When awareness is treated as a side responsibility rather than a strategic function, its impact is inevitably limited. Human-centric security requires sustained attention, expertise, and leadership support.

A Vision for the Year Ahead

As I look ahead, my passion for human-centric cybersecurity awareness is grounded in both optimism and urgency. Optimism, because the research is clear: when organizations invest in people, through thoughtful design, supportive culture, and meaningful learning, security outcomes improve. Urgency, because the pace of digital transformation continues to outstrip our ability to support the humans navigating it.

The year ahead presents an opportunity to reimagine cybersecurity awareness as a force for empowerment rather than enforcement. To design programs that respect human limitations while unlocking human potential. To move beyond the language of weakest links and toward a narrative of shared guardianship.

If we truly want resilient organizations and societies, we must stop asking how to fix people and start asking how to support them. Human-centric cybersecurity awareness is not a soft alternative to “real” security, it is the foundation upon which real security is built.

Conclusion: From Aspiration to Action

Cybersecurity is ultimately a human endeavour. Every system is designed, operated, and defended by people. Every breach affects people emotionally, financially, and socially. Recognizing this is not a philosophical luxury; it is a practical necessity.

My hope for this year is that more organizations, leaders, and practitioners embrace this human-centric imperative, not as a trend, but as a sustained commitment. By aligning security with human needs, values, and behaviours, we can transform awareness from a compliance exercise into a catalyst for resilience.

The future of cybersecurity awareness is not about controlling people. It is about enabling them. And that is a future worth working toward.

References

Colabianchi, S., Costantino, F., Nonino, F., & Palombi, G. (2025). Transforming threats into opportunities: The role of human factors in enhancing cybersecurity. Journal of Innovation & Knowledge, 10, 100695. https://doi.org/10.1016/j.jik.2025.100695.

Khadka, K., & Ullah, A. B. (2025). Human factors in cybersecurity: An interdisciplinary review and framework proposal. International Journal of Information Security, 24, 119–131. https://doi.org/10.1007/s10207-025-01032-0

Laidlaw, E. B., & Martin-Bariteau, F. (Eds.). (2025). The security of self: A human-centric approach to cybersecurity. University of Ottawa Press. https://www.uottawa.ca/research-innovation/centre-law-technology-society/security-of-self

Verizon. (2025). 2025 Data Breach Investigations Report. Verizon Enterprise Solutions. https://www.verizon.com/business/resources/reports/dbir/