A Cyberpsychologist’s Take on Cybersecurity’s Culture of Blame

“Only careless people get hacked.” It’s a commonly held belief in cybersecurity. But is it true?  

Dr. Erik Huffman, a leading expert in cyberpsychology, has spent years researching this question. His work delves into how human behavior impacts cybersecurity and why traditional survival instincts fail to protect us online.

His findings? Even the most prepared get breached.

In our latest episode of The Segment: A Zero Trust Leadership Podcast, I sat down with Huffman to discuss the reality of today’s attacks and why Zero Trust is the best answer to breach preparedness.

Finger-pointing holds back cybersecurity

According to Huffman, one of the most toxic reactions to a breach is the immediate instinct to blame individuals.  

“When an incident happens, everyone jumps to ‘Who did what wrong?’ instead of ‘How did this happen and how do we prevent it?’” he explained.

This culture of blame isn’t just counterproductive — it’s outdated. The reality is that even the most well-resourced, security-conscious organizations suffer breaches.  

“100% security doesn’t exist,” he said. “If a nation-state wants to get in, they will.”

The focus needs to shift from blame to analysis: understanding what happened, learning from it, and adapting defenses.

Hackers exploit stress, not stupidity

Huffman is adamant that the industry has spent too much time on cyber awareness and not enough on cyber preparedness.

“We keep telling people what to look out for, but we’re not preparing them for how to react under stress,” he said.  

Cybercriminals don’t target people when they’re alert and cautious. They attack them when they are vulnerable. When they are stressed about layoffs, rushing to meet a deadline, or emotionally engaged in a request that seems urgent.

Huffman says the key is understanding personal vulnerabilities. “We need to train people not just on generic threats, but on the specific psychological tactics attackers use. Every person has unique triggers.”

Expect a new wave of attacks fueled by AI

The rise of AI-driven attacks only makes this problem worse. Deepfake audio and video are already being used in cyberattacks, with threat actors impersonating executives to authorize fraudulent transactions.

“What happens when you can no longer trust what you see or hear?” Huffman asked. “We’re entering a time where ‘verify, verify, verify’ needs to become second nature.”

Security leaders must prepare for a world where even a phone call from a known contact can’t be taken at face value. Adopting Zero Trust principles — and a Zero Trust mindset throughout the organization — will be crucial in countering AI-powered deception.

Zero Trust is the organizational seatbelt

So, how do we move from awareness to preparedness?  

Huffman suggests these key steps:

• Threat appraisal: identifying what personal vulnerabilities an individual has and how they are likely to be exploited‍
• Coping appraisal: developing strategies for how individuals will recognize and respond to threats when they are most vulnerable

Preparedness means giving employees practical tools to protect themselves, rather than just teaching them about threats in the abstract.

“We need to stop scaring people and start empowering them,” he said. “Right now, cybersecurity feels like driving a car without a seatbelt — hoping nothing bad happens. We need to give people their cybersecurity seatbelts.”

At the organizational level, Zero Trust serves the same role.

“Zero Trust isn’t just about technology. It’s a mentality,” Huffman said. “It’s not ‘trust but verify’ — it’s ‘verify, then verify again.’”

Organizations that adopt Zero Trust alongside cyber preparedness training build resilience against both human and technological vulnerabilities. And in today’s world, resilience is the name of the game.

The journey from IT to cyberpsychology

Huffman’s path into cyberpsychology wasn’t linear.  

After earning his degree in computer science, he began his career in IT, fixing networks and troubleshooting security issues. But his perspective changed dramatically after experiencing back-to-back data breaches firsthand.  

“I was throwing every security measure at the problem, and yet the breaches kept happening,” he recalled. “I had to ask myself — if only dumb people get hacked, then am I stupid?”

Determined to find answers, he turned to research and discovered that over 90% of data breaches involve human behavior, either through error or social engineering. This realization led him to cyberpsychology, where he has since conducted studies with over 20,000 participants and worked with more than 220 organizations worldwide to bridge the gap between cybersecurity and human behavior.  

Now an award-winning educator, entrepreneur, speaker, and researcher, his insights have been shared at NASA-Goddard, ISACA, TEDx, and other leading forums. He’s currently a Research Collaborator at the National Institute of Standards and Technology (NIST).

Listen, subscribe, and review The Segment: A Zero Trust Leadership Podcast

Want to hear my full discussion with Dr. Huffman? Listen to this week’s episode on Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read a full transcript of the episode.