Designing a resilient human-centric cyber security framework

Heino Gevers, senior director of technical support at Mimecast South Africa.

---

When we think about cybersecurity, we tend to picture attacks on systems and technology, yet the most frequently exploited vulnerability is human. No firewall, patch or AI tool can fully stop someone from clicking a malicious link out of curiosity or a moment’s inattention.

With a tailored, human-focused approach, organisations can mitigate these risks by turning employees into their strongest line of defence. That shift starts with understanding the humans behind the behaviours.

Consider the different risk personas within an organisation: the negligent user who unintentionally mishandles data, the malicious insider with harmful intent, the targeted user under attack but not yet breached, and the compromised user whose account is already exploited. Each presents distinct challenges that require specific, actionable strategies, and by mapping these personas to particular risks and behaviours, organisations can design targeted interventions that address vulnerabilities before they escalate.

Traditional security awareness training often fails to create meaningful, long-term behavioural change. To be effective, training must go beyond generic modules and focus on personalisation, relevance and reinforcement.

How organisations can achieve this:

• Focus on high-risk users and behaviours: Research shows that 8% of employees are responsible for 80% of cyber security incidents. By identifying high-risk individuals through data from phishing simulations, malware incidents and browsing violations, organisations can deploy targeted interventions to address their vulnerabilities.
• Hyper-personalised, just-in-time training: Generic, one-size-fits-all training is ineffective. Instead, deliver personalised training to an employee’s role, risk profile and past mistakes. For instance, if an employee clicks on a phishing simulation, immediately provide a short, interactive module explaining the red flags they missed.
• Gamification and positive reinforcement: Behavioural change is more likely when employees feel recognised and rewarded for good security practices. Gamified elements like leaderboards or challenges can make training engaging, while recognition of “security champions” motivates others to follow suit.
• Measure impact with behavioural metrics: Traditional metrics like training completion rates fail to capture real-world impact. Instead, track behavioural metrics like reductions in phishing click rates, or increases in incident reporting, to assess the effectiveness of training.

By combining these strategies with continuous reinforcement, organisations can ensure that training is not just a compliance checkbox but drives meaningful, lasting change.

Building a cyber security-first culture goes beyond protocols and policies. It’s about shaping behaviours, fostering accountability and helping every employee see themselves as part of the defence line. Beyond training, it requires a genuine cultural shift.

When executives visibly prioritise cyber security, it sends a powerful message. A CEO who pauses a meeting to enable multi-factor authentication or shares a story about thwarting a phishing attempt sets the tone that security is everyone’s responsibility, not just IT’s.

Leadership alone isn’t enough – accountability must be a team effort. Organisations can foster this by giving employees data-driven feedback on their security performance through tools like scorecards and team trend reporting. Collaborative initiatives like bug bashes help teams celebrate fixing vulnerabilities, while safety-style goals such as “days since the last successful phish” and rewards for strong security records build collective responsibility and pride.

Recognition is also pivotal in embedding security into the culture. Highlighting employees who report threats or demonstrate strong security practices reinforces that small, proactive actions make a big difference.

A strong security culture depends on proactive engagement. Encourage employees to report suspicious activity and take part in security initiatives to build shared accountability, and regularly share success stories, leadership messages and security updates to deepen trust and engagement.

Evidence shows one-size-fits-all security controls fall short in dynamic environments. Adaptive protocols add flexibility by tailoring responses to individual behaviour and risk.

An employee who repeatedly fails phishing tests might temporarily face stricter e-mail filtering until their detection skills improve, while higher-risk staff receive extra protection, such as additional authentication steps or targeted briefings.

Technology is a critical enabler. AI-driven tools like user behaviour analytics can monitor activity, spot anomalies and trigger automated responses – blocking suspected phishing attempts or warning employees in real-time before threats escalate.

Metrics such as training engagement, blocked phishing attempts and response times reveal what works and where gaps remain. If one department struggles with a specific phishing tactic, that insight can drive focused reinforcement before the issue spreads.

To ensure the human-centric cyber framework aligns with specific needs, organisations should:

• Conduct a human risk assessment: Use tools like the Human Risk Maturity Model to evaluate the organisation’s current state across culture, technology and compliance, identifying gaps for improvement.
• Leverage telemetry for data-driven decisions: Use telemetry to gain real-time insights into risk areas, tracking employee behaviour to tailor interventions.
• Adopt a phased approach: Transition from reactive to proactive practices, starting with foundational steps like basic training and monitoring before implementing advanced tools.
• Engage leadership: Secure leadership buy-in by presenting a clear business case for investing in human risk management initiatives, highlighting potential ROI.
• Continuously improve: Regularly review and update the framework to reflect changes in the threat landscape, employee behaviour and regulatory requirements.

The human element will always be a part of cyber security, but it doesn’t have to remain the most vulnerable. With smarter training, cultural reinforcement, adaptive protocols and real-time visibility, organisations can turn their people into their most effective defenders.

Mimecast will be exhibiting at the ITWeb Security Summit from 2-4 June 2026 – visit the company at stand 61 to learn more about how organisations can better manage human risk in practice.

About ITWeb Security Summit 2026

ITWeb Security Summit 2026 will be held at Century City Conference Centre, Cape Town on 26 May 2026 and at Sandton Convention Centre in Sandton, Johannesburg from 2-4 June 2026.

Themed: ‘Redefining security in the face of AI-driven attacks, fragile supply chains and a global skills gap’, the 21st annual edition of Security Summit will continue in its tradition of bringing leading international and local industry experts, analysts and end-users together to delve into the specific threats and opportunities facing African CISOs, security specialists, GRC professionals and anyone else who is responsible for securing their organisation from cyber attacks.

Register today. Visit here for Cape Town or here for Johannesburg.