Why Your Employees Are Your Biggest Cybersecurity Risk (And What You Can Do About It)
Security Awareness

Why Your Employees Are Your Biggest Cybersecurity Risk (And What You Can Do About It)

95% of all cybersecurity incidents are partly caused by human error. Discover why traditional awareness training fails and how behavioural analysis actually works.

N
Nexus-7 Security Team · Cybersecurity Experts
· February 10, 2026 09:00 · 3 min read
Read in Dutch | English

The Human Factor in Cybersecurity

According to IBM research, 95% of all cybersecurity incidents are partly caused by human error. No firewall, no endpoint detection, no SOC — nothing protects your organisation when your employees leave the front door wide open.

That sounds confrontational. But it's not an accusation against your people. It's a fact about how our brains work — and therefore a problem you can address.

Why Traditional Security Awareness Fails

Most organisations tackle the human risk with an annual e-learning module. An hour of clicking, a certificate, done until next year. Research shows this barely works:

  • Knowledge evaporates: Within 6 months, 90% of training content is forgotten (Ebbinghaus forgetting curve)
  • Behaviour doesn't change: Knowing phishing is dangerous doesn't mean you'll recognise it under pressure
  • One-size-fits-all doesn't work: A finance employee faces different risks than a receptionist

The Psychology Behind Security Mistakes

Cybercriminals exploit predictable patterns in human behaviour:

Authority Pressure

An email from "the CEO" urgently requesting a wire transfer. Your employee doesn't want to be the person who keeps the boss waiting. This is called authority bias — we obey authority, even when something feels off.

Time Pressure

"Your account will be blocked within 24 hours." Under stress, our brain switches from analytical thinking to automatic responses. Exactly what the attacker wants.

Social Proof

"342 colleagues have already updated their details." We do what others do. Social proof is one of the most powerful influence principles.

Habituation

The 47th "click here to reset your password" email? Over time, we become blind to warning signs. Alert fatigue is real.

A Different Approach: Behavioural Analysis

Instead of giving everyone the same training, you can map risk per individual:

  1. Measure: How does someone respond to simulated phishing? How do they handle passwords? How quickly do they report suspicious emails?
  2. Profile: Not to punish, but to understand. Which behavioural patterns make someone vulnerable?
  3. Target training: Specific interventions for specific risks. Short, frequent, and relevant.
  4. Monitor: Does behaviour change over time? Does the risk profile decrease?

This is exactly what Nexus-7 does. Our Q-Method behavioural analysis maps your employees' security risk profiles — not based on what they say they do, but on how they actually respond.

What You Can Do Today

  • Stop relying on annual compliance training as your only measure
  • Start measuring — you can't manage what you don't measure
  • Make security personal — generic awareness doesn't work
  • Create a reporting culture — reward reporting suspicious situations instead of punishing mistakes

The Role of Leadership

Under NIS2 and upcoming national cybersecurity legislation, board members are personally liable for cybersecurity. "We had an awareness training" is no longer a defence. You need to demonstrate that you structurally monitor and improve your organisation's behaviour.

Want to know how your organisation scores on human security risk? Nexus-7 maps it using a scientifically validated behavioural analysis.

security-awareness social-engineering phishing risk-management nis2

Related solutions

NIS2

Ready to strengthen your cybersecurity?

Schedule a free demo and discover how Nexus-7 can protect your organization.

Request demo

Related articles