Beyond Technicalities: Assessing Cyber Risk by Incorporating Human Factors : RAND Corporation , July 9 , 2025
Beyond Technicalities: Assessing Cyber Risk by Incorporating Human Factors : RAND Corporation , July 9 , 2025
From the report: “The process of assessing a firm’s cyber risk most often relies on the technical characteristics of the firm’s computing infrastructure, such as network configurations and software patching practices. While important, these approaches often ignore the human factors that affect a firm’s cyber risk, such as an individual’s knowledge and awareness, or their workplace setting.
Research that has examined the correlation between human factors and cyber risk provides insights only into the strength of the correlation between these variables – what is often referred to in measurement theory as validity. Research has yet to address issues related to reliability – the other critical aspect of measurement – such as how easily and consistently the variables can be collected in the workplace.
Indeed, since most cyber incidents are the result of human failure, there becomes increasing urgency to understand, estimate, and influence the effect of individuals on a firm’s overall security posture. This absence of consideration for human risk factors represents both a glaring omission, and an opportunity for better ways to measure and manage a firm’s cyber risk. Therefore, this research seeks to fill this gap by creating a holistic approach to assess cyber risks using modern psychometric techniques.”
Authors - Huang, Wenjing, Romanosky, Sasha, Uchill, JoeSubjects
Authors
Publishers
Format
Related Resources
