Abstract

This paper, part of a larger dissertation, challenges the prevailing characterization of humans as the “weakest link” in cybersecurity, a perspective that has led to significant resource misallocation and flawed defensive strategies. Hence, the study empirically investigates the relationship between specific human factors and the severity of security incidents. Employing a sequential explanatory mixed-methods design, this research integrates quantitative analysis of 237 incidents from the VERIS Community Database with qualitative insights from interviews with 12 cybersecurity professionals. The quantitative analysis reveals a critical distinction: human error is associated with a significant reduction in incident severity (odds ratio [OR] = 0.28, p < 0.001), whereas social engineering is linked to a twofold increase in severity (OR = 2.04, p = 0.039). These findings directly challenge the monolithic view of the “human element” and the assumption that initial access vectors reliably predict impact. Qualitative data further illuminate these patterns, indicating that errors are often quickly detected and contained, whereas social engineering facilitates deeper, more persistent intrusions. This study proposes an empirically grounded framework for human-centric incident severity, advocating for a strategic shift from generic awareness training to a dual focus on error-tolerant systems and advanced behavioral detection capabilities. The research offers a refined theoretical lens for understanding human factors in cybersecurity and provides actionable recommendations for optimizing security investments.

This work is licensed under a Creative Commons Attribution 4.0 License.