Humans drive cybersecurity

Authors: Heidi Myyryläinen & Laura Palovuori

The human element is the foundation of cybersecurity

Every day we use smartphones, laptops, tablets, fitness trackers at work. In our offices and homes too, we have smart technology around us, Smart TVs, printers, streaming devices, smart speakers, thermostats, lighting, cameras and robot vacuums. Everything that is connected to internet, is potential target for cybersecurity attacks.

As Mikko Hyppönen (2022) notes, when cybersecurity works perfectly well, it is invisible. He further observes that no one is acknowledged for preventing a disaster that never occurred. Cyber threats cost for humans and institutions. In 2024, Finns lost in online fraud more than 84 million euros (Kyberturvallisuuskeskus 2025). If company databases are hacked, it can result in significant financial losses and other serious consequences.

Humans are the weakest link in cyber security – but they are also the first line of defense. (Hyppönen 2022) Technical solutions alone are not enough – people in any work environment need to understand risks. Developing awareness and skills significantly reduces these risks.

Cybercriminals use both psychological manipulation and technical tactics to steal usernames and passwords. Psychological methods often exploit human tendencies such as trust, urgency, and habit, while technical means leverage vulnerabilities in systems and networks. Attackers may send fake emails, messages, or websites that mimic legitimate services, prompting users to enter their login details. Criminals can pose as trusted figures such as vendor, police, IT support or bank representatives to get confidential information. Messages claiming an account will be locked or hacked unless immediate action is taken pressure users into acting without thinking critically. Mistakes happen easily when rushing because the brain struggles to process information optimally under pressure. When in a hurry, people tend to rely on habits and shortcuts, which can lead to errors if the situation requires a different approach. Some errors arise from routines that are simple to adjust. This can be about using weak passwords to critical systems. Downloading a malware hidden in an e-mail attachment or a link can happen in just few seconds.

Organizations face various cyber risks, and often the reliance on digital systems is just growing. In any case, cybersecurity is a key issue in any business in many ways. Cybercriminals exploit vulnerabilities through data breaches, phishing scams, and malware to steal sensitive information or disrupt operations. Weak security practices and human errors make it easier for attackers to infiltrate networks and cause financial or reputational damage. Critical infrastructure, automation systems, and IoT devices introduce additional risks, as they can be targeted for sabotage or disruption. Organized groups are also seeking to steal intellectual property or manipulate information for political or economic gain.

Communication skills matter

Effective communication in cybersecurity is one of the essential skills that individuals and organizations can be trained for. Communication can ensure that security concerns are clearly understood and addressed by everyone in the organization, regardless of their role. In a field where small details can have major consequences, it’s critical that all employees, whether in technical or non-technical positions, are able to convey and understand security risks accurately. Miscommunication can lead to vulnerabilities, delays in response, or actions that inadvertently compromise security.

In high-pressure situations, such as a data breach or active attack, clear and concise communication can help prevent panic and reduce potential damage. Conversely, in day-to-day operations, fostering a culture of open, proactive communication encourages collaboration and empowers employees to voice concerns about potential risks or vulnerabilities. By cultivating an environment where communication is valued and timely, organizations can build a more resilient and responsive cybersecurity culture. Cybersecurity communication is a vital skill that blends emotional intelligence, clarity, and security awareness. It evolves with technology and cyber threats, requiring ongoing development. Nurturing strong communication habits can be a powerful asset in defending against cybercrime.

What does an optimal culture for cybersecurity look like?

In cybersecurity, people remain still the most important factor both in risks and in solutions. Therefore, organizations should see employees as important part of their cybersecurity deference. Ultimately, it is people and organizational cultures that influence on security. It is not just individuals but also the organizational cultures reflecting the values, beliefs and behaviors and how people interact with security processes. (Granova et al. 2023)

A strong cybersecurity culture goes beyond policies and training. When cybersecurity is valued, it is part of everyday work and decisions in a short and long term. A resilient cybersecurity culture is based on every day work practices and awareness of security risks. Also, the collaboration has an important role in cybersecurity in many ways. Collaboration can lead to better awareness and better knowledge-sharing, enabling teams to recognize and respond to security threats better. When employees consider security as a natural part of their daily tasks, the organization becomes more secure. Organizations can also train cybersecurity champions, employees who promote good security practices, strengthening habits and encouraging others to take security seriously. (Granova et al. 2023)

It is important to ensure that the organization’s knowledge, skills, and policies remain up to date by seeking resources and fostering a culture of learning. Cybersecurity is not just about getting protected from threats, it is also about understanding the role of trust and empowering people to be aware of protecting the key resources.

References

Granova, V., Mashatan, A., Turetken, O., Schmorrow, D. D., & Fidopiastis, C. M. 2023. Changing Hearts and Minds: The Role of Cybersecurity Champion Programs in Cybersecurity Culture. In Dylan D. Schmorrow & Cali M. Fidopiastis (eds). Augmented Cognition. Springer. Lecture Notes in Computer Science, vol. 14019. 416-428. Cited 25 March 2025. Available at https://doi.org/10.1007/978-3-031-35017-7_26

Hypponen, M. 2022. If It’s Smart, It’s Vulnerable. Hoboken: Wiley.

Kyberturvallisuuskeskus. 2025. Näin tunnistat aidot verkkosivut ja viranomaiset – vältä huijaukset verkossa. Kyberturvallisuuskeskuksen viikkokatsaus 12/2025. Cited 25 March 2025. Available at https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kyberturvallisuuskeskuksen-viikkokatsaus-122025#83695-0

Authors

Heidi Myyryläinen works as an RDI Specialist at LAB University of Applied Sciences.

Laura Palovuori works as an RDI Specialist at Centria University of Applied Sciences.

Both authors are involved in the Distance LAB – Remote Service Hub for SMEs and the Public Sector project.

Illustration: https://pxhere.com/fi/photo/1440395 (CC0)

Reference to this article

Myyryläinen, H. & Palovuori, L. 2025. Humans drive cybersecurity. LAB Pro. Cited and date of citation. Available at https://www.labopen.fi/en/lab-pro/humans-drive-cybersecurity/