A Human Factors-Cyber-Safety Framework for Risk and Requirements in Critical Infrastructure
Abstract
Cyber-attacks on critical infrastructure are increasing in scale and sophistication, yet cybersecurity practice remains dominated by technology-centric assessments that insufficiently represent human contributions to risk. In cyber-physical systems (CPS), non-malicious human actions -including slips, mistakes, workarounds, training gaps, and misaligned procedures- frequently create, amplify or fail to detect vulnerabilities.This paper presents an integrated socio-technical framework that combines Human Factors (HF) methods, safety analysis, and cybersecurity modelling within a Secure-by-Design approach. The framework models how human performance variability influences cyber vulnerability and safety outcomes, enabling structured, scenario-based risk assessment and the derivation of traceable engineering requirements. An illustrative application demonstrates how HF findings are translated into human error mechanisms, cyber effects, unsafe control actions, safety impacts, and prioritised Secure-by-Design controls. By operationalising HF methods as cybersecurity engineering tools, the approach reframes cybersecurity as a socio-technical reliability problem comparable to safety engineering.
Keywords: Human Factors, Cybersecurity, Safety-critical Systems, Critical Infrastructure, Risk Modelling, Secure-by-design
DOI: 10.54941/ahfe1007407
Cite this paper
More from this volume
- Cognitive Load and Compliance: A Human-Centric Framework for NIS2 in Latvian SMEs
- Eye tracking study to analyze context encoding during phishing decision making
- Enhancing Cybersecurity Learning Through Online Platforms and Gamified Approaches
- Privileged Learning for Instance Representation in Cognitive Models of Phishing Decisions
- Calibrating Trust in AI-Driven Cyber Defenses: Human Reliance, Resistance, and Decision Dynamics
- Governing the human factor in cybersecurity: A regulatory perspective
- Assessing Trust in Digital Service Engineering: An Empirical Case Study of Public CCTV Analytics in Germany
- Simulating the Threat: A Phishing Campaign to Enhance Cyber Resilience in a Large Organization
- Micro-Decisions Under Time Pressure and Dark Patterns in Digital Interfaces
- Designing an AI-Driven Framework for Human-Centered Cybersecurity Practices
- Beyond Security Awareness: A Scoping Review of Human Factors in SME Cyber Resilience Frameworks (2018-2026)
- The Human Factor in Cyber Resilience: Behavioural, Organisational and Sociotechnical Perspectives


AHFE Open Access