When we think of cybersecurity audits, we often picture assessments of technical vulnerabilities, compliance checks, and security frameworks. However, 70%-90% of cyberattacks exploit the weakest link in the security chain—humans. The role of human factors in cybersecurity risks has been evident throughout history, from the Trojan Horse in The Odyssey to modern-day cyber threats. This presentation highlights the critical influence of human behavior, decision-making, and organizational culture in cybersecurity audits.
As cybersecurity expert Kevin Mitnick once said: “It’s often easier to trick a person on the inside than it is to crack air-tight cybersecurity measures.” Social engineering attacks leverage psychology to manipulate insiders, bypassing even the most robust security defenses. Threat actors exploit publicly available information through OSINT to craft targeted attacks, preying on cognitive biases and social influence.
This session introduces the 7 Vulnerabilities of the Human OS, which I term:
- Reciprocity
- Scarcity
- Authority
- Liking
- Commitment & Consistency
- Consensus & Social Proof
- Unity
These psychological triggers have led to major breaches, including the 2019 Toyota BEC Scam, 2020 Shark Tank Spear Phish, and the 2020 Twitter Bitcoin Scam.
To enhance cybersecurity resilience, organizations must integrate social engineering awareness into audit frameworks. By incorporating human risk assessments and training programs into audits, companies can proactively mitigate threats and foster a culture of security awareness.