Is the Human the Problem in Cybersecurity?

In 1999, Anne Adams and M. Angela Sasse wrote a paper titled “Users are not the Enemy“. That same year Whitten and Tygar wrote a paper titled “Why Johnny Can’t Encrypt

Soon after, the field of Usable Security launched, with a great deal of fantastic work being undertaken by talented researchers emerging over the last two decades.


Much of the work focuses on somehow “fixing” the end user. Persuading them to behave securely, understanding their mental models and figuring out how to get them to follow the rules.

Unfortunately, many still see the end user as the problem , something to be solved, controlled, legislated and corrected: Human-As-Problem.

As we explain in our paper, listed below, this is unrealistic. Treating humans as rule following bots CREATES the problem – it doesn’t solve it. As evidence, consider how the number of data breaches and cybersecurity attacks always seem to increase.

It is time for some reflection, and consideration of a new way forward.

Sidney Dekker (YouTube video), Wouter Hart (YouTube video in Dutch) and David Marquet (YouTube video) all propose a different way: Human-as-Solution.

Here’s the paper that Verena Zimmermann and I wrote about this idea. Verena Zimmermann and Karen Renaud. Moving from a “Human-as-Problem” to a “Human-as-Solution” Cybersecurity Mindset. International Journal of Human Computer Studies. Volume 131, November 2019, Pages 169-187.

And an executive summary, for a quick read.


I’d love to hear your thoughts on this idea ….