Cyber security that works with humans, not against them

Even after years of spending on cyber security training and awareness, many organisations are still falling victim to cyber breaches, not because their technology failed, but because human reactions under stress are remarkably predictable.

Historically, security efforts focused on reinforcing a clear boundary around systems. Tools like firewalls, intrusion detection, and endpoint protection were all built to defend that perimeter. But attackers no longer need to force their way in; increasingly, they gain entry simply by requesting it.

As cloud and SaaS applications have become central to the way that companies operate, the concept of a defined network edge has largely vanished. Today, the real security boundary lies within identity systems, collaboration platforms and – above all – daily choices made by employees.

Their choices, however, are far from perfect. Employees regularly juggle interruptions, tight deadlines, and competing priorities. To manage this, they lean on mental shortcuts that help them process information quickly and to keep work moving.

This kind of rapid, instinctive decision-making has been described by psychologist Daniel Kahnemann as fast thinking, and has become essential for the demands and pace of our digital workloads. It leads people to respond quickly, trust familiar contacts, act on urgency and rely on the tools they use every day.

For cyber criminals, these tendencies present an opportunity. Social engineering attacks are designed to exploit trust, urgency, and routine behaviour, and they're proving highly effective. M&S, for example, publicly stated that the cyber attack it suffered last year, costing the retailer approximately £300 million, was the result of "human error".

MFA bombing has become a common risk

Looking ahead, the risk of attackers taking advantage of human behaviour is only likely to grow. In its 2026 Global Cybersecurity Outlook, the World Economic Forum (WEF) states that cybercriminals are now weaponising AI models to manipulate human trust with greater effectiveness in an effort to gain access to victims' systems.

The report emphasises that this marks a significant shift in the threat landscape, requiring more advanced and adaptive defence mechanisms.

There is no question that Multi-Factor Authentication (MFA) has become a foundational security requirement within that mix, supplementing the username and password model with additional factors to identify genuine users.

However, as attackers continue to pursue the easiest route in, a tactic known as MFA fatigue – or MFA bombing – has become increasingly common. This involves attackers sending repeated MFA prompts to trick or irritate victims in the hope that they will eventually approve one, either mistakenly or out of frustration.

Like many modern attacks, this method relies less on breaking technology and more on manipulating people. Once login credentials have been compromised – often through phishing or purchased through leaked data sources – attackers can use automated tools to trigger a constant stream of approval notifications.

All it takes is one approval for attackers to gain entry, potentially exposing sensitive customer information, financial data and core business systems. The consequences can be severe, ranging from ransomware incidents and operational disruption to financial losses, reputational damage and regulatory penalties.

Understanding the human element of security

Even the most advanced technical controls can't remove the human element from cyber security. People are often described as both the strongest defence and the greatest vulnerability – and with good reason. In Verizon's Data Breach Investigations 2025 Report (DBIR), human behaviour (such as social engineering, credential misuse and unintended actions) was involved in around 60% of breaches, showing that people still play a major role in how breaches occur. Cybersecurity is, therefore, in many ways no longer just a case of protecting systems, but informing decisions.

Reducing the likelihood of errors – whether they stem from oversight, poor judgment, or simple fatigue – requires a strong focus on education and awareness. Employees need to understand how to identify threats, particularly those involving MFA. Clear guidance is essential, if a login request appears unexpectedly, it should be rejected and reported to the IT team right away.

Strengthening authentication

That said, removing human error completely isn't realistic. As a result, organisations need stronger authentication approaches that can limit the impact of mistakes, particularly when it comes to MFA fatigue attacks.

In response, several national and international cybersecurity bodies put out a joint advisory advocating that these be adopted on a broad basis, highlighting the need for organisations to move beyond basic controls and adopt phishing-resistant MFA. The vulnerabilities associated with simple "click to approve" or "enter your PIN to approve" requests that are more susceptible to MFA bombing and MFA fatigue can, therefore, be eliminated.

One way to strengthen authentication is through context-aware access controls. These systems assess additional signals around each login attempt, such as location, device type, operating system, browser and even typical user behaviour, for example, the time the user usually takes to authenticate. By analysing these factors together, the MFA solution can make more informed decisions, allowing low-risk access to be seamless while flagging or blocking suspicious activity.

Further protection can be achieved by adopting FIDO2-based security measures or biometric verification. These approaches rely on device-bound, phishing-resistant authentication, making it much harder for attackers to capture or reuse credentials, even if a user is deceived into entering details on a fake site. A key feature here is origin binding, which ties login credentials to a specific domain. If a user unknowingly tries to sign into a fraudulent lookalike site, the authentication process will fail automatically, preventing those credentials from being used.

Solutions that support safe user behaviour

At their core, these more advanced MFA capabilities are built to reinforce secure user behaviour rather than rely on it alone. By adopting phishing-resistant MFA, organisations can introduce a protective buffer between employees and social engineering attempts. This added layer makes it far more difficult for attackers to take advantage of instinctive, fast-paced decision-making while helping users to respond in a safer, more controlled way.

When a single approval can lead to significant financial and operational damage, investing in security that accounts for human behaviour is a sensible move. That said, choosing the right solution is critical.

Security measures should never become an obstacle to productivity. If authentication processes are overly complicated or time-consuming, employees are likely to bypass them altogether, creating new risks in the process.

For this reason, organisations need MFA solutions that strike the right balance; simple to deploy, intuitive to use, and robust enough to withstand modern threats. Achieving that balance puts businesses in a strong position to safeguard sensitive data, critical systems, and day-to-day operations against increasingly common access-based attacks.