By Emily Rosenorn-Lanng
You can have the strongest technical security controls in the world, but if your people are overwhelmed, foggy-headed, or burnt out, those controls are likely to fail. At Cyber Innovations Ltd., we have been exploring this dynamic using real-world data—and one chart in particular captures it perfectly.
This visual shows a clear negative correlation between the percentage of enterprises adopting multiple ICT security measures and reported workplace stress levels across the EU (plus the UK). The data, drawn from CEOWORLD and Eurostat, highlights something deceptively simple yet profoundly important: more security does not always create more stress—in fact, it may help reduce it.
Now, this is correlation, not causation. But it suggests that workplace confidence in clear, effective security measures may ease psychological strain. And with AI-driven cyber threats accelerating, this balance matters more than ever.
The Hidden ROI of Lower Stress
There is a quiet but significant return on investment to be found here: lower stress levels lead to fewer errors, faster incident reporting, and a more engaged workforce. In cybersecurity terms, this directly strengthens both an organisation’s risk posture and its operational resilience.
From Threat Indicators to Human Indicators
In cybersecurity, we are used to tracking technical Indicators of Compromise (IOCs).
But we rarely ask: what are the human equivalents?
In high-stress environments, we start to see:
- Avoidance of incident reporting
- Decision fatigue and delays
- Overreaction or panic responses
- Shame, confusion, and fear of blame
These are what we might call Indicators of Psychological Compromise.
And crucially, they are not simply personal failings. They are structural. As Maslach and Leiter (1997) remind us, burnout does not arise from individual weakness—it emerges when organisational demands chronically outstrip available psychological resources.
Psychologically, this aligns with Professor Steve Peters’ Chimp Paradox model. Under pressure, our rational brain (the “Human”) can be overridden by our emotional brain (the “Chimp”), resulting in impulsive, sometimes irrational behaviour. In cybersecurity incidents, this means that even well-trained individuals may bypass established protocols if stress levels are too high.
Human-Centred Cyber Response
This is precisely where Cyber First Aid (CFA) comes in. CFA reframes cyber incident response through both technical and psychological lenses. It focuses not only on compliance, but on readiness, recovery, and resilience.
Structured around evidence-based tiers of response, CFA enables organisations to scale their support depending on the human stress indicators that emerge during and after cyber incidents. We are also currently developing a conceptual model that maps stress, security controls, and organisational outcomes in a clearer, actionable way (more on that soon).
For now, I want to leave you with a simple provocation:
What if security controls are not just about protecting systems — but about protecting people too?
Cyber First Aid is developed by Cyber Innovations Ltd..
For updates, resources, and future releases, visit our website or follow us on LinkedIn.
