{"code":"MAKHRG","speakers":[{"code":"Q3LFHE","name":"Yvonne Bauer","biography":"Yvonne Bauer humanist with many years of expertise in human resources, recruiting, and diversity. After studying psychology and knowledge management, she worked for two consulting firms that focused on comprehensive HR consulting for IT companies. For several years now, she has been working in the cybersecurity industry, where her primary concern is to get more women excited about this field and encourage them to pursue and advance their careers in information security by volunteering as board member and national coordinator at Women4Cyber Austria.","avatar":"http://cfp.bsidesvienna.at/media/avatars/Adrian_Almasan-0037_6PvHV0I.jpg"},{"code":"SL9SX7","name":"Wolfgang Ettlinger","biography":"Wolfgang Ettlinger is heavily interested in the technical aspects of IT security, in particular application security. In the past decade he has gathered experience with a broad range of languages, technologies and frameworks in e.g. penetration testing, source code review and secure software development projects. He is responsible for the identification of dozens of CVEs affecting products from Citrix, Oracle, Symantec, Sophos, Trend Micro, etc. He currently serves as the Head of Research and Director for Application Security at Certitude Consulting.","avatar":null}],"title":"\"The Human Factor. Cybersecurity's weakest link or most adaptive defense?\"","submission_type":{"en":"Medium Talk"},"track":{"en":"Dachsaal (Track 2 - 190 pax)"},"state":"confirmed","abstract":"In Cybersecurity there is a narrative existing: The problem is sitting in front of the screen… but is it?\r\n\r\nOur understanding of humans in cybersecurity is shaped by problematic metaphors, which influence how we design security systems. The way we likely describe humans, shapes how we approach cybersecurity.\r\n\r\nHumans are as seen as the weakest link: Humans are viewed as the main source of failure > Assumption: Technology is strong, humans are weak\r\n\r\nHumans are seen as driven by fear: as frightened animal > Assumption: Fear and punishment drive secure behavior\r\n\r\nAnd once you believe, that the human is the problem, you stop looking for better explanations.\r\n\r\nIn our talk we will have a deeper look at these assumptions and the psychological as well as technical factors of (in)secure behavior in organizations\r\nCognitive biases often cause individuals to underestimate rare but catastrophic risks or to place excessive trust in automation. Routine blindness may result in subtle anomalies being ignored when tasks become repetitive. Furthermore, poor collaboration and information silos weaken collective intelligence, while misguided prioritization—such as choosing convenience over security—can undermine defense efforts. Yet, to fully leverage the strengths like pattern recognition, intuition, adaptive reasoning and ethical decision making, organizations should minimize human error through training, supportive tools, and sustainable working conditions, ensuring that human intelligence can function as a powerful ally in defending against digital threats.","description":"In our talk we scrutinize the critical role of human behavior in cyber defense and how it reframes defense strategies beyond purely technical or machine-driven approaches. Human cognition acts as complementary system, not just a weak link. This creates a hybrid model, where adaptive human-decision making works in tandem with machine efficiency. One of its core strengths lies in pattern recognition and contextual understanding.\r\n\r\nSecurity analysts are often able to spot unusual behaviors or subtle anomalies that automated systems might overlook.\r\n\r\nEqually important are creativity and intuition, which allow humans to anticipate novel attack methods and think beyond established rules or signatures.\r\n\r\nLike the immune system, humans are capable of adaptability, adjusting strategies quickly in response to emerging threats.\r\n\r\nIn addition, they bring ethical judgment and strategic decision-making, enabling a nuanced evaluation of risks that goes beyond metrics and algorithms.\r\n\r\nHowever, the human factor also introduces vulnerabilities. Alert fatigue and cognitive overload can reduce vigilance, leading to missed threats.\r\n\r\nAgenda:\r\n\r\n    Assumptions „The problem is sitting in front of the screen“ (User)\r\n    Security Behavior in Organizations – Security Compliance vs. Security Participation\r\n    People don’t fail randomly. They fail predictably within the system we design.\r\n    Organizational, Individual & Environmental influencing factors & dimensions of security behavior and the question “Why does security often not work in practice”\r\n    „Policies are made to pass audits – not actually for you to follow“\r\n    Practical examples: force of habits, alert fatigue, psychological Acceptability: Phishing\r\n    “Computers are weird”\r\n    Key Takeaways","duration":50,"slot_count":1,"do_not_record":false,"is_featured":false,"content_locale":"en","slot":{"room":{"en":"Dachsaal (Track 2 )"},"start":"2026-06-27T13:05:00+02:00","end":"2026-06-27T13:55:00+02:00"},"image":null,"resources":[{"resource":"/media/bsidesvienna-0x7ea/submissions/MAKHRG/resources/Bauer_Ettlinger_The_Human_Factor_2706202_hvx9URD.pdf","description":"Slidedeck_The Human Factor_Bauer&Ettlinger"}]}