Towards Modeling Cybersecurity Behavior of Humans in Organizations

TL;DR

This paper develops a comprehensive theoretical framework modeling human cybersecurity behavior in organizations, integrating awareness, culture, and usability, and explores its implications for AI security vulnerabilities.

Contribution

It introduces a novel, structured model of human cybersecurity behavior in organizations and applies it to understanding AI agent vulnerabilities and security strategies.

Findings

The model synthesizes key drivers like awareness and culture.

It compares the model with existing behavioral frameworks.

It suggests new security strategies for AI agents based on human behavior insights.

Abstract

We undertake a comprehensive and structured synthesis of the drivers of human behavior in cybersecurity, focusing specifically on people within organizations (i.e., especially employees in companies), and integrate key concepts such as awareness, security culture, and usability into a coherent theoretical framework. This model is then compared with several relevant behavioral models that fundamentally represent drivers of human behavior. Additionally, we discuss how this theoretical framework can help the domain of agentic AI security: We argue that as AI systems increasingly act as autonomous agents within organizations and based on natural language processing, they also exhibit vulnerabilities analogous to human behavioral risks. Consequently, we propose that this human-centric model offers a blueprint for developing additional security strategies against manipulation attacks targeting AI agents.