Pillar 5 – Human factors, AI & Cyber Awareness

Cybersecurity isn’t just a technical problem -it’s a human one too. The majority of successful cyberattacks exploit people, not systems. Whether through phishing, weak passwords, or social engineering, human behaviour remains the most critical factor in security.

At the same time, artificial intelligence is transforming both cyber defence and cybercrime, reshaping how attacks are carried out and prevented.

This guide explores the intersection of human factors, AI, and cyber awareness, helping individuals and organisations reduce risk in an increasingly complex threat landscape.

Why Human Factors Matter in Cybersecurity

Humans are often seen as the weakest link – not because they’re careless, but because attackers exploit:

  • Trust
  • Urgency
  • Curiosity
  • Lack of awareness

Common human-driven vulnerabilities:

  • Reused or weak passwords
  • Falling for phishing emails
  • Misconfiguring systems
  • Ignoring security warnings

Even the most advanced security systems can be bypassed if a user is tricked into granting access.

Social Engineering & Psychological Attacks

Social engineering is the art of manipulating people into revealing sensitive information or performing actions.

Common techniques:

  • Phishing – Fake emails or websites
  • Spear phishing – Targeted attacks
  • Pretexting – Creating believable scenarios
  • Baiting – Offering something enticing (e.g., USB drives)

These attacks are effective because they:

  • Mimic legitimate communications
  • Exploit emotional responses
  • Require minimal technical skill

The Password Problem

Passwords have long been a core security mechanism—but they are fundamentally flawed.

Key issues:

  • Easily guessed or reused
  • Vulnerable to phishing and leaks
  • Difficult for users to manage securely

The Shift to Passkeys

Passkeys replace passwords with:

  • Cryptographic authentication
  • Biometric verification (e.g., fingerprint, face recognition)
  • Device-based security

Adopted by major platforms including Apple, Google, and Microsoft

Related: The problem with passwords, Ditch the password

The Role of AI in Cybersecurity

Artificial intelligence is transforming both sides of cybersecurity.

AI in Defence

AI helps organisations:

  • Detect anomalies in real time
  • Identify phishing attempts
  • Automates threat detection and response
  • Analyse large volumes of security data

AI in Cyber Attacks

Attackers are also leveraging AI to:

  • Generate highly convincing phishing emails
  • Automate vulnerability discovery
  • Create deepfake content for impersonation
  • Scale attacks with minimal effort

Phishing in the Age of AI

AI has made phishing:

  • More convincing
  • Harder to detect
  • More scalable

Modern phishing characteristics:

  • Personalised content
  • Perfect grammar and tone
  • Realistic branding

Users can no longer rely on “obvious mistakes” as warning signs.

Related: AI & Deepfakes

Insider Threats & Human Error

Not all threats are external.

Insider risks include:

  • Accidental data exposure
  • Misconfigured systems
  • Malicious insiders

Human error remains one of the leading causes of security breaches.

Everyday Technology Risks

Many cyber risks come from everyday behaviour:

Devices & Endpoints

  • Using unsecured Wi-Fi
  • Installing untrusted apps
  • Failing to update software

Physical Security

  • Plugging in unknown USB devices
  • Leaving devices unlocked

Building Cyber Awareness

Cyber awareness is about enabling users to:

  • Recognise threats
  • Make informed decisions
  • Act securely by default

Effective Awareness Strategies

1. Continuous Training

  • Regular, up-to-date education
  • Real-world examples

2. Simulated Attacks

  • Phishing simulations
  • Social engineering tests

3. Clear Policies

  • Simple, actionable guidance
  • Avoid overly technical language

Making Security Usable

Security must be:

  • Easy to understand
  • Easy to follow
  • Integrated into workflows

If security is too complex, users will bypass it.

Practical Steps for Individuals

  • Use passkeys or strong MFA
  • Be cautious with emails and links
  • Keep devices updated
  • Avoid unknown USB devices
  • Verify unusual requests

Practical Steps for Organisations

  • Implement Zero Trust principles
  • Deploy phishing-resistant authentication
  • Monitor user behaviour
  • Foster a security-first culture

The Future of Human-Centric Security

Expect:

  • Increased use of AI-driven attacks
  • Greater reliance on passwordless authentication
  • More focus on user behaviour analytics
  • Integration of security into user experience design

Cybersecurity will increasingly focus on people, not just technology.

Final Thoughts

Technology alone cannot solve cybersecurity. Human behaviour, awareness, and decision-making play a central role in both attacks and defence.

By combining:

  • Strong authentication
  • AI-driven tools
  • Effective awareness training

…organisations and individuals can significantly reduce their risk.