They say people are your weakest link... We think not

15 October 2025

For decades, cyber security discourse has claimed that people are the weakest link. The phrase, while appealing in its simplicity, risks misdiagnosis. It places blame on individuals rather than recognising that human error is often the predictable outcome of systemic design, cultural cues, and leadership signals.

They say people are your weakest link... We think not

Data from Stanford University (Sjouwerman, 2021) suggests that 88% of breaches involve human error. Yet research by Perry Carpenter and Kai Roer (2022) shows that when an organisation builds a mature security culture, human behaviour becomes a force multiplier.

So, are people really the problem - or the systems that shape them?

Human limits in complex systems

The evidence is clear. Hancock and Tessian (2022) found that 88% of breaches stem from human error while Verizon’s 2023 Data Breach Investigations Report reported a similar pattern - nearly three-quarters of incidents involve a human element.

People are time-pressured and prone to shortcuts. At a time when we're overloaded with information and increasingly convincing fakes, perfect decisions don’t exist.

Behavioural science explains it. Under pressure, our fast, instinctive System 1 thinking takes over before reason has a chance to catch up.

Most awareness programmes miss this, treating mistakes as ignorance instead of inevitability. Governance then tends to respond with more control:

  • Zero Trust architectures to limit discretion

  • Automation to reduce decision points

  • Policies that restrict behaviour rather than enable it

Technology can block threats, but only people can judge intent. Human insight brings the creativity, ethics and context that security depends on.

Culture as the strongest control

When viewed through the lens of culture, people become the solution. Humans perceive nuance, spot anomalies and exercise judgement that algorithms cannot match.

Carpenter and Roer (2022) found that strong security cultures correlate with fewer incidents and faster responses. In these environments, employees don’t just comply - they commit.

Culture shapes how policy is interpreted and acted upon:

  • High-trust, learning cultures encourage initiative and openness

  • Fear-based cultures drive concealment and disengagement

Technology defines what’s possible, culture defines what’s acceptable. Without cultural maturity, even the most advanced systems are fragile.

blog author

Jack Sharpe

Head of Cyber Security Consulting