John Smith, a finance worker at a Hong Kong firm, was tricked into transferring $25 million after attending a video call with what appeared to be the company’s CFO and other colleagues. Each person on the call was a convincing AI-generated deepfake. The attackers used publicly available footage to clone faces and voices, creating a seamless illusion that exploited trust and familiarity.
This case highlights how human behavior can be a vulnerability in cybersecurity. Attackers often play on urgency to override caution, impersonate authority figures to disarm skepticism, and drip-feed small requests to trigger consistency bias. Traditional identity and access management (IAM) strategies tend to assume that users will behave predictably and rationally.
However, the reality inside most organizations is far messier. People work quickly, switch contexts constantly, and are bombarded with notifications, tasks, and requests. If security controls feel too rigid or burdensome, users will find workarounds.
If prompts are too frequent, they’ll be ignored. Good security mechanisms shouldn’t add friction; they should seamlessly guide users towards better choices.
Human behavior in cybersecurity settings
Applying principles like Zero Trust, least privilege, and just-in-time access can dramatically reduce exposure, but only if they’re implemented in ways that account for cognitive load and context. Automation can help here: granting and revoking access based on dynamic risk signals, time of day, or role changes without requiring users to constantly make judgment calls. Done right, security becomes an invisible safety net, quietly adapting in the background, rather than demanding constant interaction.
Technology may enforce access policies, but culture determines whether people follow them. Building a secure organization has to be about more than simply enforcing compliance. That starts with security training that goes beyond phishing drills and hygiene to address how people actually think and react under pressure.
Equally important is removing unnecessary friction. When access controls are intuitive, context-aware, and minimally disruptive, users are more likely to engage with them properly. Role-based and attribute-based access models, combined with just-in-time permissions, help reduce overprovisioning without creating frustrating bottlenecks.
Ultimately, fostering a strong security culture, understanding the psychological underpinnings of user behavior, and aligning security practices with how people actually work will be key. The human element in cybersecurity isn’t going away, but with the right approach, it can be leveraged as a significant asset.
Kirstie a technology news reporter at DevX. She reports on emerging technologies and startups waiting to skyrocket.
