Why human behavior risk is central to building true cybersecurity resilience
Chief Information Officers (CIOs) seeking to curb and mitigate cyber risks often focus on technology and organizational defences. However, in their endeavours, they should not overlook the critical impact of dependencies linked to human behaviour, writes Bailey Bell from Aon.
Organisations have spent decades investing in cybersecurity technologies – firewalls, intrusion detection systems, and AI-driven monitoring tools. Yet despite these investments, breaches continue to rise in frequency and impact.
While new cyber threats continue to emerge, it is increasingly clear that cybersecurity is no longer primarily a technology problem. It is also a human behaviour problem. To build true resilience, organizations must move beyond simply managing cyber risk to understanding and shaping cyber behaviour.
Human-led risks
The rising costs associated with cyber incidents are unambiguous. IBM research shows that the average global cost of a data breach is $4.45 million, up significantly in recent years, and notably higher in the Middle East, where it is estimated at approximately $7.1 million.
The “human element” is equally clear. A World Economic Forum study found that 95% of cybersecurity breaches involve a human factor, whether through error, manipulation, or poor decision-making. For instance, over 90% of cyberattacks begin with phishing, making it the most common entry point for threat actors, according to research from CISA.
Solving the right challenge?
Despite clear evidence, most cybersecurity strategies still rely on annual awareness training, policy enforcement, compliance tracking, phishing simulations and click-rate metrics. These approaches are necessary but insufficient.
They assume that if employees understand policies, recognize threats, and complete necessary training, then they will behave securely. However, decades of research in psychology and cybersecurity suggest otherwise. Essentially, the data shows that awareness does not reliably translate into behavior change, security behavior is influenced by psychological, social, and contextual factors, and human error and decision-making biases are central to cyber vulnerability.
This points at a fundamental gap – organizations measure what people know but not how they behave under pressure.
Why awareness and simulations alone fall short
Phishing simulations and training programs provide useful signals but are limited in what they tell us. They do not answer critical questions such as: Why did an employee click? Was it due to distraction, a sense of urgency, or cognitive overload? Do certain individuals consistently show higher behavioral risk? Are some teams or functions more vulnerable than others?
Research shows that cyber threat susceptibility is often driven by heuristic processing and attentional bias, rather than simple a lack of knowledge. We also know that personality traits such as impulsiveness, conscientiousness, and risk tolerance heavily influences cybersecurity behavior.
In practice, this means two employees with the exact same training can respond very differently to the exact same cyber threat. Yet most organizations treat them as equally secure.
From risk to resilience
To address this gap, organizations must evolve their approach. Cybersecurity resilience is not achieved through awareness alone, it requires:
- Understanding behavioral resilience and vulnerability
- Identifying risk at an individual and group level
- Predicting how employees will respond in real-world scenarios
- Targeting interventions where they are most needed
This is where a nuanced psychological and people analytics approach to cybersecurity becomes critical.
Aon’s Cybersecurity Resilience Assessment
To support this shift, Aon has developed a new offering: the ‘Cybersecurity Resilience Assessment’. The solution is designed by occupational psychologists in close collaboration with cybersecurity experts and informed by Aon’s longstanding expertise in risk.
This solution moves beyond basic awareness to provide a data-driven understanding of human cyber resilience to ensure risk is minimized. It combines multiple evidence-based components, including:
- Behavioral judgment evaluation (SJQ-based) to assess decision-making in realistic cyber scenarios
- Cyber knowledge testing aligned to ISO and NIST standards to establish foundational understanding
- Personality profiling to identify stable behavioral tendencies using a cybersecurity tailored version of Aon’s ADEPT-15 personality questionnaire
- Cognitive assessment to evaluate attention, reasoning, and analytical thinking under pressure
The strength of the approach lies in its integration. It does not assess in isolation but how knowledge, personality, cognitive function and behavior interact to drive cyber decisions in real time. This multi-method approach is grounded in decades of assessment research demonstrating the predictive validity of combining assessment methods.
From Insight to Action
The real value of the Cybersecurity Resilience Assessment is not just measurement; it is actionable insight. By completing the Cybersecurity Resilience Assessment, organizations gain:
Visibility of Human Cyber Risk
Identify individuals and teams with elevated behavioral risk and pinpoint “hotspots” across functions, teams or locations
Identification of Cybersecurity Champions
Highlight individuals with strong judgement and resilience and leverage these Champions as role models or internal advocates
Targeted Intervention Strategies
Move beyond generic training to tailored interventions based on behavioral judgement gaps, cognitive vulnerabilities and personality-driven risk patterns
Data-Driven Cyber Governance
Integrate behavioral resilience or risk insights into enterprise risk frameworks, and addressing the behavioral risk for audit and compliance reporting on cybersecurity maturity
Enhanced Organizational Resilience
Reduce susceptibility to cyber threats such as phishing and social engineering, and improve decision-making under pressure and strengthen overall cyber capability at scale
Cybersecurity as a behavioral capability
As cyber threats become more sophisticated, attackers are increasingly targeting human psychology not just system vulnerabilities.
This requires a fundamental shift from awareness to behavioral insight, from compliance to capability, and from reactive metrics to predictive intelligence.
Cybersecurity resilience will increasingly depend on an organization’s ability to: understand how employees think and act under pressure; identify behavioral risk before incidents occur; and continuously develop human capability alongside technical controls.
Organizations that continue to rely solely on awareness training and phishing simulations will remain exposed. Those that invest in understanding and developing cybersecurity behavior will gain a significant advantage in resilience.
Conclusion
In today’s rapidly evolving cyber risk landscape, it is time to take action on the human dimension alongside technical investments, moving beyond awareness to build true cybersecurity resilience. Aon’s behavioral approach offers a practical and evidence-based way forward, yielding actionable insights that will inform targeted interventions to strengthen your human defense against cyber threats.
