As human-driven cyber risk continues to dominate breach narratives, blame is proving to be a dead end. In this article, Annick O’Brien, General Counsel, CybSafe, argues that employees are not the weakest link but an untapped security asset, reframing behaviour as something that can be measured, governed and optimised through the Human Firewall - a theme that sits at the heart of the #RISK BFSI Executive Forum as leaders rethink how culture, data and governance must converge to build resilient security strategies in 2026 and beyond.
I’m going to be disruptive. In 2026, if you’re still calling employees “the weakest link” in cybersecurity - then thats just lazy. And honestly? It’s holding you back.
What I’m seeing with the most forward-thinking security leaders right now is a complete reframe. They’re not fighting their people—they’re building whats known as the Human Firewall. It’s measurable. It’s governable. And when you get it right, it’s one of your highest-ROI security investments.
The secret sauce? Combining behavioural science with solid data analytics and plugging it all into your GRC framework. Suddenly “security culture” stops being a vague aspiration and becomes an actual metric you can track and improve.
Awareness ≠ Behaviour (And That’s the Whole Problem)
Let’s be real: that annual security awareness training everyone dreads? It’s checking a box. That’s about it. I’d also like to pause here to acknowledge that I do this too. We have audits- we have to demonstrate we ticked the box. I’m not saying don’t do it; I’m just saying it doesn’t work.
Here’s the thing—knowing something is risky and actually not doing the risky thing are completely different. Your employees probably know not to click sketchy links. But when they’re slammed with deadlines, running on caffeine, and the UI is working against them? They’ll click anyway. We all would (and have).
This is where behavioural science comes in. Once you understand what’s actually driving non-compliance—stuff like optimism bias (“that’ll never happen to me”) or just taking the path of least resistance—you can start designing environments where the secure choice is also the easy choice. That’s the game-changer. You’re not adding more rules. You’re building better defaults.
Actually Measuring Human Risk (Yes, It’s Possible)
The classic GRC problem: you can quantify your technical vulnerabilities all day long, but how do you put a number on human risk? You can patch a server. You can’t exactly patch a person.
But here’s what’s working: we are using data analytics to build a Human Risk Score. If you have already sourced the data from phishing simulations, password hygiene, how fast people report suspicious emails, whether they’re following data handling policies etc; you can string it all together and you’ve got something actionable.
The metrics that actually matter:
- Mean Time to Report: How fast are people flagging threats? Speed matters here.
- Resilience Ratio: The delta between people who fall for a simulation versus people who report it. This tells you way more than click rates alone.
- Security Debt: All those ignored policy prompts and bypassed controls? They’re accumulating. Track them.
This is how you walk into a board meeting with actual data instead of vibes. “We reduced human-driven risk by X%” hits different than “we did more training.”
Making It Work Within Your GRC Framework
For this to scale, behavioural data can’t live in a silo. It needs to plug directly into your enterprise risk register, right alongside your technical vulnerabilities.
Here are few things I’ve seen work well:
Write policies for how people actually work, not how you wish they worked. If your policy is so restrictive that everyone’s spinning up shadow IT workarounds, congratulations—you’ve just created ungoverned risk. The policy is the problem.
Build adaptive controls. If someone’s Human Risk Score starts trending up, your system should respond automatically—nudging, reminding, just-in-time training- whatever makes sense to give that person the help they need when they need it.. Static security doesn’t cut it anymore.
Close the feedback loop. GRC frameworks are built for continuous improvement. Behavioural data gives you real-time signal to refine your controls and update threat models. Use it.
The Bottom Line
Look, the goal here isn’t zero mistakes—that’s not how humans work. The goal is reducing the probability and impact of mistakes. When you measure, incentivise, and govern security behaviour, your workforce becomes a distributed detection network. They’ll catch things your technical tools miss. They are now your agile defence in depth.
When you stop treating people like a liability and start treating them like the asset they actually are? That’s when security becomes a shared responsibility instead of just IT’s problem.
And that’s a culture shift worth investing in.
Annick O’Brien is the General Counsel at CybSafe, a role that leverages her deep expertise as a qualified lawyer, Data Protection Officer (DPO), and cyber risk officer. She advises on security compliance and risk management frameworks ensuring these critical initiatives are seamlessly aligned with overarching business objectives, delivering demonstrable value.
Specialising in the complex domains of cybersecurity, privacy, and information security, Annick expertly masters regulatory landscapes, including NIST, GDPR, and the EU AI Act.
Her mission is to empower organisations to sustainably and securely integrate evolving legal requirements into their operational fabric. A recognised thought leader, Annick is a frequent and sought-after voice on the crucial intersection of human cyber risk and the dynamic legal environment.
Winner of the 2024 GRC Head of Legal of the Year award and nominated for 2025 Legal in Cyber award with the National Cyber Awards.
#RISK BFSI Executive Forum
Senior-Level Discussions. Practical Insight. Strategic Relevence
#RISK BFSI Executive Forum is a senior peer‑to‑peer summit that give buy‑side risk leaders a structured way to sharpen portfolio and enterprise risk decisions, strengthen their voice with boards and stay ahead of regulatory and market shifts.
No comments yet