Human Factors in Cybersecurity

Editors: Abbas Moallem, Kitty Kioskli
Topics: Human Factors in Cybersecurity
ISBN: 978-1-964867-84-7
DOI: 10.54941/ahfe1007227
Table of Contents
A Human Factors-Cyber-Safety Framework for Risk and Requirements in Critical Infrastructure
Cyber-attacks on critical infrastructure are increasing in scale and sophistication, yet cybersecurity practice remains dominated by technology-centric assessments that insufficiently represent human contributions to risk. In cyber-physical systems (CPS), non-malicious human actions -including slips, mistakes, workarounds, training gaps, and misaligned procedures- frequently create, amplify or fail to detect vulnerabilities.This paper presents an integrated socio-technical framework that combines Human Factors (HF) methods, safety analysis, and cybersecurity modelling within a Secure-by-Design approach. The framework models how human performance variability influences cyber vulnerability and safety outcomes, enabling structured, scenario-based risk assessment and the derivation of traceable engineering requirements. An illustrative application demonstrates how HF findings are translated into human error mechanisms, cyber effects, unsafe control actions, safety impacts, and prioritised Secure-by-Design controls. By operationalising HF methods as cybersecurity engineering tools, the approach reframes cybersecurity as a socio-technical reliability problem comparable to safety engineering.
Eylem Thron, Duncan Ki-Aries, Martin Freer, Huseyin Dogan, Shamal Faily
Open Access
Article
Conference Proceedings
Cognitive Load and Compliance: A Human-Centric Framework for NIS2 in Latvian SMEs
The transposition of the EU NIS2 Directive into Latvia’s National Cybersecurity Law (NKDL) significantly expands the scope of regulation: from ~1,000 to ~8,000 organizations, many of them SMEs without dedicated security teams. The aim of this paper is to develop a human-centric compliance framework for Latvian SMEs that operationalizes selected NIS2/NKDL cybersecurity requirements through a cognitive-load perspective. This paper frames NIS2 compliance as a cognitive ergonomics problem and develops a low-friction “NIS2 Compliance Starter Pack” that reduces response cost while preserving auditable evidence. Using a socio-technical synthesis, NKDL obligations are mapped to pragmatic controls and to workload indicators derived from the NASA Task Load Index (NASA-TLX). The developed framework prioritizes secure by default interventions - such as default multi-factor authentication, automated security nudges, and micro learning - over high-intensity training that often produces fatigue and workarounds. Sustainable cyber resilience is treated as an engineered property of the work system rather than a checklist outcome.
Imants Breidaks, Henrijs Kalkis, Anton Semenov
Open Access
Article
Conference Proceedings
Eye tracking study to analyze context encoding during phishing decision making
Phishing and spear-phishing remain among the most persistent cybersecurity threats. This study examines end-user decision-making in spear-phishing contexts by modelling the relationship between visual attention and responses using eye-tracking measures. Forty-eight university students completed an email management task while eye movements were recorded with a Tobii Nano Pro tracker. Participants classified 50 emails (phishing, spear-phishing, promotional, legitimate) drawn from a corpus of 481 messages. Cognitive load was manipulated via concurrent puzzle solving and validated using NASA-TLX. To minimize bias, participants assumed fictional personas and made realistic decisions without explicit phishing instructions. Cognitive load and fatigue showed no significant effect on phishing susceptibility, though later trials exhibited a marginal increase in response bias. In contrast, eye-tracking metrics strongly predicted decisions. Logistic regression revealed that longer first fixation durations and higher saccade counts increased likelihood of responding, while larger pupil diameters were negatively associated with responses. Beyond results from the experiment, the study proposes attention-based representations integrating eye-tracking with natural language processing to improve cognitive models.
Tianhao Xu, Prashanth Rajivan
Open Access
Article
Conference Proceedings
Enhancing Cybersecurity Learning Through Online Platforms and Gamified Approaches
The way teaching used to be done in a lab, just doesn’t show how important it is to be real, be lively, and think differently when it comes to modern security practice. As a result, the rise of online cybersecurity platforms, the use of challenge-based environments, and the use of game-based learning methods have all become powerful additions to traditional teaching methods. This paper looks at how well interactive methods work in teaching, by combining what the public knows, well-known learning theories, and what instructors have experienced in undergraduate and postgraduate cybersecurity courses. The present study looks at how online platforms, virtual training areas, gamified exercises and Capture-the-Flag (CTF) competitions can make people more interested, independent and able to learn. The research looks at how new technologies, like the Internet of Things (IoT) systems, blockchain infrastructures, and distributed cyber-physical environments, will affect the future of cybersecurity training. The paper ends with a blended learning framework and a research design for future real-world testing, emphasising the need to include practical digital ecosystems in today’s cybersecurity courses.
Dimitris Koutras, Kitty Kioskli, Vangelis Malamas
Open Access
Article
Conference Proceedings
Privileged Learning for Instance Representation in Cognitive Models of Phishing Decisions
Risk arising from human behavior, such as employees falling victim to phishing, continues to undermine organizational security posture. Prior work has attributed phishing susceptibility to attentional failures in detecting suspicious cues, motivating training approaches focused on detecting such cues. However, growing evidence suggests that susceptibility to phishing is better explained through activation and retrieval process of relevant experiences from memory. Models capable of estimating awareness gaps and predicting how individuals respond to or report phishing emails are therefore critical for delivering personalized training and testing interventions. A key challenge in building such cognitive models is finding effective ways to represent the contextual cues that shape how individuals perceive, store, and recall phishing-related content. This paper applies a privileged learning strategy to construct richer instance representations within cognitive models of phishing judgment. Combining instance-based learning (IBL) with neural network-based text similarity, we infer how recipients interpret email content and underlying intent. Results indicate that this privileged learning pipeline substantially enhances the predictive ability of cognitive models of phishing, opening new methods for developing individualized anti-phishing interventions.
Elaheh Mehrabi, Prashanth Rajivan
Open Access
Article
Conference Proceedings
Calibrating Trust in AI-Driven Cyber Defenses: Human Reliance, Resistance, and Decision Dynamics
AI-supported cybersecurity tools are increasingly embedded in operational environments, yet an important question remains underexplored: how do human analysts decide when to trust, doubt, or challenge automated recommendations? While prior research addresses trust in automation broadly, studies grounded in security operations remain limited. In Security Operations Centers (SOCs), analysts process high volumes of alerts under time pressure, while automated outputs vary in reliability. These conditions influence how trust develops, but their combined effects are rarely examined systematically. This paper approaches trust as a dynamic process that evolves during real investigative work. The study adopts a mixed-method research design combining controlled experiments with qualitative analysis. Simulated SOC scenarios allow participants to interact with an AI-based alert triage tool while their behavior and interpretations are observed. Results indicate that small interface design elements—such as explanation phrasing and the frequency of high-confidence alerts—can significantly influence analyst behavior, shaping patterns of over-reliance or persistent skepticism. The findings inform design principles for AI-driven cybersecurity systems that support balanced human–AI collaboration.
Vangelis Malamas, Dimitris Koutras
Open Access
Article
Conference Proceedings
Governing the human factor in cybersecurity: A regulatory perspective
In an increasingly interconnected world, cyberattacks have emerged as one of the most pressing global threats, endangering critical infrastructure, compromising sensitive data, and disrupting essential services across sectors. As a result, cybersecurity has become a key policy priority at all levels of governance. In response, the European Union (EU) adopted, inter alia, the Cybersecurity Strategy for the Digital Decade and significantly expanded its legislative framework to strengthen cybersecurity requirements through both horizontal and sector-specific regulatory instruments. Alongside policy instruments, cybersecurity efforts have emphasised technical measures to address the evolving cybersecurity threat landscape. However, there is growing recognition that cybersecurity cannot be effectively understood or addressed solely through technical measures. Cybersecurity posture depends not only on technological safeguards but also, fundamentally, on the so-called ‘human factor’. Against this backdrop, this article examines how the human factor is conceptualised and addressed within the EU’s cybersecurity legal frameworks. Adopting a qualitative, interdisciplinary approach grounded in doctrinal legal research, the article analyses the regulatory treatment of the human factor within EU cybersecurity law. It contributes to broader debates on cybersecurity governance by identifying regulatory gaps, proposing recommendations for better integrating human-centred cybersecurity strategies into EU regulatory frameworks, and outlining avenues for future research to strengthen cybersecurity resilience.
Dusko Milojevic, Jan De Bruyne, Maja Nisevic
Open Access
Article
Conference Proceedings
Assessing Trust in Digital Service Engineering: An Empirical Case Study of Public CCTV Analytics in Germany
In the fields of digital Service Engineering and Requirements Engineering, trust is a crucial factor in ensuring the acceptance and adoption of technology by its users. Previous research has investigated trust determinants in various digital services. This study builds upon that work by conducting an empirical examination of trust factors in public video analytics systems in Germany. The study explores general perceptions of trustworthiness, trust-building factors, concerns, and benefits of these systems as they relate to public safety and security. The results of the study provide an empirical view and interpretation of predefined trust determinants for public video analytics, benefiting a higher acceptance rate by individuals. Conclusions include the importance and distribution of these determinants for this exemplary socio-technical system as well as general findings regarding the perception of trustworthiness of these systems. Additionally, the study validates a trust-indicating logo and assesses its impact on perceived trustworthiness of the system. This work adds to the ongoing discussion of Requirements Engineering for trustworthy digital services.
Steven Schmidt
Open Access
Article
Conference Proceedings
Simulating the Threat: A Phishing Campaign to Enhance Cyber Resilience in a Large Organization
The human element remains the most critical, yet often least addressed, vulnerability in organizational cybersecurity. For any company, effective security awareness must evolve beyond static training to include realistic, experiential learning. This report details the planning, execution, and outcomes of a controlled, simulated social engineering phishing campaign conducted within such an organization. The primary objective was to use Social Engineering as a Cybersecurity Awareness Tool to transform passive policy knowledge into active, reflexive cyber-resilience among employees. By providing direct, practical experience with a leading open-access tool like Gophish, followed by training lectures, these campaigns aim to transform phishing exercises from a compliance checkpoint into an integrated, continuous practice.
Leandros Maglaras, Kitty Kioskli, Antonis Adamakos, Stavros Kyriakoudes, Demetris Antoniou, Nestoras Chouliaras
Open Access
Article
Conference Proceedings
Micro-Decisions Under Time Pressure and Dark Patterns in Digital Interfaces
Many risky actions are not caused by people deciding to do them, but by small mistakes that happen when we use digital technology every day. People often see permission dialogs, cookie banners, consent prompts and security warnings when they're not paying full attention and have a lot of other things going on in their minds. Research into cybersecurity has mostly looked at large-scale behaviours, like phishing response patterns or how people manage their passwords. But it has not looked at how short-term thinking affects people's ability to make good decisions about privacy and security. This theoretical work looks at how time pressure, cognitive fatigue, and interface manipulations ("dark patterns") create privacy issues that distort user judgment at the exact moment a security-relevant choice must be made. The paper looks at how small decisions are affected by limited attention, and when users don't have a lot of time, they often make quick decisions and rely on their instincts. When people are tired, they find it harder to tell the difference between safe and unsafe options. This research looks at how users behave when they are dealing with security prompts according to the related work. It also shows that privacy mistakes at a very small level can be seen as problems with how things are designed, rather than problems with motivation or education. This research makes it easier to understand privacy and permission errors as human-factors phenomena.
Dimitris Koutras, Kitty Kioskli, Vangelis Malamas
Open Access
Article
Conference Proceedings
Designing an AI-Driven Framework for Human-Centered Cybersecurity Practices
Cybersecurity systems are often fragmented and difficult to navigate, leaving organisations particularly small and medium-sized enterprises (SMEs) struggling to implement effective, human-centered, and resilient security practices. End users face dispersed resources, complex regulatory requirements, and limited practical guidance, resulting in uneven levels of preparedness and cyber hygiene. These gaps undermine decision-making, organisational resilience, and the effectiveness of certification and compliance processes. To address these challenges, the paper proposes a holistic, conceptual framework that integrates human-centered principles with explainable artificial intelligence (AI) and system-level collaboration. Drawing on established approaches in human-centered security, privacy-by-design, resilience engineering, regulatory science, and AI-driven decision support, the framework aligns with the European Cybersecurity Skills Framework (ECSF). It synthesises insights from cross-sector analyses, socio-technical modelling, and European cybersecurity initiatives that emphasise interoperability and human factors. The framework is structured around five interconnected components: (i) a human-centered decision-support layer using explainable AI; (ii) a harmonised catalogue of cybersecurity, training, and regulatory resources; (iii) an interoperability and collaboration layer enabling structured, machine-readable information exchange; (iv) an adaptive learning and training component aligned with behavioural and competency models; and (v) a trust-by-design compliance engine supporting certification and conformity assessment. The analysis shows that combining human factors with explainable AI produces clearer, more actionable guidance while reducing cognitive and operational burden. Interoperability and collaboration mechanisms help overcome fragmentation, while adaptive learning pathways tailor support to skill levels and organisational maturity. Overall, the framework reframes cybersecurity as a socio-technical system shaped by people, regulation, and collaboration. Future work will empirically validate the framework across diverse organisational contexts to assess its practical impact.
Kitty Kioskli, Pedro Tomas, Wissam Mallouli, Joao Fernandes, Dimitris Koutras, Luis Cordeiro, Dimitrios Kallergis
Open Access
Article
Conference Proceedings
Beyond Security Awareness: A Scoping Review of Human Factors in SME Cyber Resilience Frameworks (2018-2026)
Small and medium-sized enterprises (SMEs) face cyber-attacks with disproportionate impact and limited capacity, yet the human-factors (HF) dimension of cyber resilience for this population remains methodologically heterogeneous. This scoping review maps how cyber resilience and cybersecurity frameworks for SMEs published between January 2018 and May 2026 operationalize HF constructs. Following PRISMA-ScR, we identified 482 records from four databases (Scite, Elicit, OpenAlex, Semantic Scholar) via twelve productive searches, including both keyword-style queries and an apples-to-apples replay of the same Scite Boolean strings on the keyword-indexed engines. After deduplication we screened 345 unique titles, assessed 126 for full-text eligibility, and synthesized 52 chart-eligible frameworks. To address abstractonly-charting risk, all 52 frameworks were read in full text and the coding re-validated against the original PDF. Security awareness dominates the SME HF lexicon (40/52, 77%); decision support (52%) and behavior change (44%) follow at moderate distance. Usability evaluation (12%), incident-response HF (13%), explicit technology acceptance (10%), trust modeling (10%), and cognitive workload (4%) remain underrepresented. Operationalization skews toward narrative process descriptions and single-item markers; metric-level operationalization and validated interventions are rare. We conclude with a research agenda for HF-explicit SME cyber resilience frameworks.
Jonathan Thelen
Open Access
Article
Conference Proceedings
The Human Factor in Cyber Resilience: Behavioural, Organisational and Sociotechnical Perspectives
Organisations increasingly recognise that cyber resilience cannot be achieved through technical controls alone, but critically depends on how individuals perceive and enact security requirements in everyday work. This paper synthesises current knowledge on the human factor in cyber resilience at the intersection of behaviour, organisational culture and sociotechnical design.First, core constructs are clarified by linking cyber resilience with established approaches from human factors and work and organisational psychology, including stress and cognitive load, trust and the psychological contract, security culture and human–technology interaction. On this basis, three levels of analysis are distinguished: an individual level (psychological resources and decision processes), an organisational level (leadership, culture, work organisation, perceived fairness and support) and a sociotechnical level (design of technologies, interfaces and digital assistance systems).Second, the paper conducts a structured narrative review of recent empirical and conceptual literature, drawing on seven scientific databases and restricted to peer-reviewed publications from 2023 onwards, to synthesise recurring psychological and organisational mechanisms that influence security‑relevant behaviour. Particular attention is paid to tensions between productivity pressures and security demands, as well as to the roles of emotions, fatigue and habituation in real‑world decision making. Third, the contribution formulates a literature‑based research agenda that highlights key priorities for future interdisciplinary research and for the development of resilience‑oriented awareness programmes, leadership practices, work organisation and adaptive sociotechnical solutions.
Lena Von Damaros
Open Access
Article
Conference Proceedings


AHFE Open Access