Introduction: The limits of a technology-centric paradigm

Over the past decade, enterprise cybersecurity has undergone rapid technological advancement. Organizations have invested extensively in layered defenses—identity management, zero-trust architectures, AI-driven detection systems, and automated incident response capabilities. These investments have materially improved visibility, control, and response speed across digital environments.

However, despite this progress, the frequency and impact of cybersecurity incidents have not declined proportionally. Breaches continue to occur across sectors, including those with highly mature security infrastructures. This divergence between investment and outcome suggests a structural limitation in how cybersecurity risk is currently conceptualized.

The prevailing paradigm treats cybersecurity as a technical systems problem.

Yet empirical evidence increasingly indicates that this framing is incomplete.

Cybersecurity risk does not ultimately materialize within infrastructure. It materializes at the point where infrastructure interacts with human behavior.

This distinction is critical.

The embedded human layer within technical systems

Modern cybersecurity architectures are typically understood through a layered defense model:

• Prevention: access controls, authentication systems, network segmentation

• Detection: monitoring systems, anomaly detection, behavioral analytics

• Response: incident management protocols, containment procedures

Each of these layers is engineered to operate with high degrees of precision and reliability.

However, each layer also contains an embedded human component.

Access controls are only effective if users adhere to them.
Detection systems rely, in part, on individuals recognizing and escalating anomalies.
Response protocols depend on correct execution under time pressure.

This creates a hybrid system:

A technically engineered environment whose effectiveness is contingent on human decision-making.

The system is therefore only as strong as its weakest behavioral interaction.

The Last Mile Problem

To understand where this system breaks down, it is useful to introduce the concept of the Last Mile Problem.

In logistics and infrastructure, the last mile refers to the final stage of delivery—the point at which the success of an entire system is realized or compromised.

In cybersecurity, the last mile is not a device or a network boundary.

It is a decision point.

An employee chooses whether to open an email.
A manager determines whether to override a control.
A technician decides whether to follow or bypass a procedure.

These decisions are made in environments characterized by:

• temporal pressure

• incomplete or ambiguous information

• competing operational priorities

• system complexity

Importantly, they are made outside controlled training environments and beyond direct system enforcement.

This is where risk crystallizes.

Empirical grounding: human factors as primary risk drivers

Empirical research consistently identifies human behavior as a central driver of cybersecurity incidents.

The Verizon Data Breach Investigations Report has repeatedly highlighted the role of phishing, credential misuse, and social engineering in a substantial proportion of breaches.

Similarly, research conducted by Stanford University in collaboration with Tessian suggests that human error contributes to the majority of data breaches.

While the precise percentages vary, the directional conclusion is unambiguous:

Human behavior is not an ancillary risk factor. It is a primary vector through which cybersecurity risk is realized.

The persistence of ineffective training models

Despite this recognition, the dominant organizational response has been to scale cybersecurity training.

This training typically follows a standardized model:

• periodic, mandatory e-learning

• uniform content across roles

• knowledge-based assessments

• completion tracking for compliance

This model persists because it satisfies several institutional requirements:

• it is scalable

• it is auditable

• it provides evidence of due diligence

However, it is not designed to optimize for real-world decision-making.

Security theater learning

This creates a phenomenon that can be described as security theater learning.

Security theater learning produces visible indicators of preparedness—training records, completion dashboards, audit trails—without necessarily improving behavioral outcomes.

It is optimized for regulatory defensibility, not operational effectiveness.

This distinction is critical in regulated environments, where the appearance of compliance can obscure underlying capability gaps.

The Human Risk Gap

To formalize this issue, we define the Human Risk Gap as:

The difference between an individual’s theoretical understanding of cybersecurity principles and their ability to apply those principles effectively under real-world conditions.

This gap emerges from the interaction of four structural factors:

1. Cognitive limitations

Human cognitive capacity is constrained. Under conditions of high cognitive load, individuals rely on heuristics and pattern recognition rather than analytical reasoning.

2. Environmental complexity

Real-world environments introduce ambiguity, noise, and competing signals that are absent from training contexts.

3. Incentive structures

Organizations frequently prioritize speed, responsiveness, and output. These incentives may conflict with security behaviors that require caution and verification.

4. System design

Interfaces, workflows, and processes may not be aligned with human decision-making patterns, increasing the likelihood of error.

Traditional training addresses only one of these dimensions: knowledge.

It does not address the system in which behavior occurs.

Behavioral science: decision-making under pressure

Insights from Behavioral Economics and cognitive psychology further illuminate this gap.

The work of Daniel Kahneman distinguishes between two modes of thinking:

• System 1: fast, intuitive, automatic

• System 2: slow, deliberate, analytical

Training environments predominantly engage System 2.
Operational environments—particularly under time pressure—are dominated by System 1.

This mismatch explains why knowledge does not reliably translate into behavior.

Reframing cybersecurity as a capability problem

Addressing the Human Risk Gap requires a shift in framing.

Cybersecurity must be understood not only as a technical domain, but as a capability system.

Capability, in this context, refers to the ability to:

• perceive relevant signals

• interpret context accurately

• make appropriate decisions under pressure

• execute correct actions consistently

This definition integrates cognitive, behavioral, and environmental dimensions.

Operational Security Readiness (OSR)

To operationalize this shift, we introduce Operational Security Readiness (OSR).

OSR is defined as:

The measurable ability of an organization’s workforce to make safe, accurate, and consistent decisions in cybersecurity-relevant situations.

This construct shifts the focus from training delivery to performance in context.

Implications for enterprise leaders

The introduction of OSR has several implications:

1. Learning must move beyond content delivery

2. Measurement must shift from completion to performance

3. System design must align with human behavior

4. Capability must be continuously reinforced

Conclusion

Cybersecurity does not fail at the level of infrastructure alone.

It fails at the point where infrastructure intersects with human behavior.

The central question for organizations is therefore not:

Have employees been trained?

It is:

Are they capable of making the right decision under real-world conditions?

About the author:

Hana Dhanji is the Founder & CEO of Cognitrex, an enterprise LearningOS platform and content design firm that helps organizations modernize learning and development.

Cognitrex works with enterprise teams to design and deliver role-based learning programs, onboarding pathways, and scalable training systems that improve workforce capability and performance. The platform combines LMS, LXP, and content infrastructure into a single system, paired with high-quality, scenario-based course design.

Hana is a former corporate lawyer at Sullivan & Cromwell and Hogan Lovells, having worked across New York, London, Dubai, and Toronto. She now advises organizations on how to move beyond fragmented training toward structured, high-impact learning systems.

She also serves as Treasurer and Chair of the Finance Committee for the UTS Alumni Association Board and as a Committee Member of the Ismaili Economic Planning Board for Toronto.

Learn more:

→ https://www.cognitrex.com

→ https://www.hanadhanji.com