No, people are NOT the weakest link

For decades, the cybersecurity industry has claimed that human error represents the greatest vulnerability in organizational security, stating that "humans are the weakest link." This paper challenges this paradigm, arguing that attributing security failures to human factors misrepresents the nature of security architecture and absolves security leadership of their responsibilities.

Analysis of the cyber kill chain clearly demonstrates that successful attacks require multiple consecutive control failures beyond initial human interaction. When an employee opening a malicious attachment can trigger a catastrophic breach, the root cause is inadequate security architecture and controls implementation, not human error.

Properly designed security systems must incorporate defense-in-depth strategies that account for normal human behavior instead of relying on perfect human performance. Each phase of the attack chain offers opportunities for technical controls to interrupt attack progression. Network segmentation, principle of least privilege, behavioral analytics, and automated response capabilities can effectively block threats regardless of the initial entry vector. Zero trust strategy is not a completely novel concept, it is rather a logical evolution and more importanly, a proper execution of known concepts at the organizational scale and with dilligence and rigor.

By mapping attack scenarios against the kill chain, we demonstrate how technical control failures, not human actions, determine an attack's success. The "human weakness" narrative has become a convenient excuse for inadequate security infrastructure and implementation.

This paper calls on business leaders and board members to shift focus from blaming employees to holding IT and Security teams accountable for comprehensive protection measures. Organizations must demand and support security programs that protect both business assets and employees through robust technical controls. Security teams should be responsible for building resilient systems that account for normal human behavior, rather than expecting employees to serve as primary security controls.

If this paper achieves one thing and that is putting the „It’s all users’ fault!” finally to rest, it has met the objective, as we all could finally focus on protecting the organizations – including the people.

Petr Špiřík

PwC Partner leading the Cybersecurity & Privacy in Czech Republic – and also the Managed Cybersecurity Services for the entire EMEA region. In past, he served multiple times as CISO, including global role of Vice President of Information Security at a listed technology firm. From the cybersecurity industry perspective, Petr primarily focused at Security Operations Centers (SOC), Incident Response and Threat Intelligence – for clients, internally as well as in the Research & Development capacity. Strong believer in the technology progress, young people education and that it is possible to win over the threat actors. Long term supporter of the thesis that honeybadger is the best animal on the planet and will gladly discuss it at IS2 with anyone.