* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [CSO Perspective](https://www.paloaltonetworks.com.au/blog/category/cso-perspective/)
* Cybersecurity and Human F...

# Cybersecurity and Human Factors: Why Cybersecurity Is a Human Issue Rather Than a Technical Problem

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F11%2Fcso-cybersecurity-human-factors-cybersecurity-human-issue-rather-technical-problem%2F)  
[](https://twitter.com/share?text=Cybersecurity+and+Human+Factors%3A+Why+Cybersecurity+Is+a+Human+Issue+Rather+Than+a+Technical+Problem&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F11%2Fcso-cybersecurity-human-factors-cybersecurity-human-issue-rather-technical-problem%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2017%2F11%2Fcso-cybersecurity-human-factors-cybersecurity-human-issue-rather-technical-problem%2F&title=Cybersecurity+and+Human+Factors%3A+Why+Cybersecurity+Is+a+Human+Issue+Rather+Than+a+Technical+Problem&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2017/11/cso-cybersecurity-human-factors-cybersecurity-human-issue-rather-technical-problem/&ts=markdown)  
\[\](mailto:?subject=Cybersecurity and Human Factors: Why Cybersecurity Is a Human Issue Rather Than a Technical Problem)  
Link copied  
By [Mihoko Matsubara](https://www.paloaltonetworks.com/blog/author/mihoko-matsubara/?ts=markdown "Posts by Mihoko Matsubara")  
Nov 14, 2017  
5 minutes  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[Japan](https://www.paloaltonetworks.com/blog/tag/japan/?ts=markdown)  
[Risk](https://www.paloaltonetworks.com/blog/tag/risk/?ts=markdown)

I recently had a discussion with Japanese business executives on cybersecurity challenges during which one of them asked me about the biggest difference between Japan and other countries regarding their approach to cybersecurity. I answered, "Each country and sector are different; but if I compare Japan and the United States, the Japanese tend to think cybersecurity is a technical problem, whereas the Americans tend to believe cybersecurity is a human issue, based on previous interactions and feedback from my peers and industry experts in the United States."

This answer surprised him and brought home the point that cybersecurity touches upon various aspects of human nature and activities, rather than just technical problems. Only humans can do the cybersecurity risk assessment and management because this requires decision-making and resource allocation. People are essential for solving challenges around cybersecurity.

[The IBM Security Services 2014 -- Cyber Security Intelligence Index](https://media.scmagazine.com/documents/82/ibm_cyber_security_intelligenc_20450.pdf) shows that more than 95 percent of the cyber incidents that IBM investigated occurred due to human errors, such as system misconfiguration and poor patch management. [People are the weakest link in cybersecurity](http://www.cio.com/article/3191088/security/humans-are-still-the-weakest-cybersecurity-link.html) because every single person makes mistakes. That is why social engineering works to trick people into doing something they are not supposed to do, and employers encourage their employees not to open suspicious attachments or click URLs from unsolicited senders.

Of course, cybersecurity includes technical elements. Technology is crucial to address cybersecurity challenges because offerings like firewalls and endpoint protection are needed to prevent malicious actors from achieving their goals by cyber means. Technical knowledge is required to innovate, choose and use those products, as well as to analyze malware.

However, it is equally important to analyze and understand human factors behind cyberattacks and risks because these are the biggest trigger of cybersecurity incidents. Since today's business environment cannot survive without IT, both IT and cybersecurity should be regarded as business enablers rather than cost centers. That is why the Japanese Ministry of Economy, Trade and Industry (METI) and Information-Technology Promotion Agency (IPA) pointed out in their [Cybersecurity Guidelines for Business Leadership Ver 1.1](http://www.meti.go.jp/policy/netsecurity/downloadfiles/CSM_Guideline_v1.1.pdf) in December 2016, cyberattacks are an unavoidable business risk in today's business environment, where IT is part of the infrastructure.

To manage risks, [acceptance, avoidance, mitigation, or transfer is needed](https://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf). If a cybersecurity risk is low or moderate, an organization can decide to accept and not take any cybersecurity action to mitigate it. If a potential cybersecurity risk seems to be unacceptable, the organization may decide to take an action to eliminate the basis of the risk, such as a specific activity or technology. If the organization has resources to shift risk liabilities and responsibilities to the others, who have better expertise, the organization can transfer the risk, such as cyber insurance. If the risk is not acceptable, avoidable, or transferrable, the organization should take cybersecurity approaches to reduce the risk, such as authentication, encryption, or firewall installation.

Investment in risk management is also needed. Yet, [information technology (IT) was introduced to business operations mainly to cut costs](http://cyber-risk.or.jp/sansanren/2.bessi_1_1.0.pdf). Because cybersecurity has traditionally been considered part of IT, it is challenging for companies to realize that it is an area to invest in as a business enabler.

In fact, IPA's [Survey of cyber risk management in companies in 2015](https://www.ipa.go.jp/files/000045629.pdf) in June 2015 showed that less than 50 percent of even major Japanese companies assess their business risks. Only 49.2 percent of the business leadership of even major companies (their annual sales being over 1 billion yen) answered that they do business risk assessment. The ratio is 28.2 percent at medium-sized companies (their annual sales being between 100 million and 1 billion yen) and 14.9 percent at small companies (their annual sales being under 100 million yen).

Japanese companies are behind American and European companies in this regard. According to [IPA's survey about Chief Information Officers (CIO) and Chief Information Security Officers (CISO) in companies](http://www.ipa.go.jp/files/000058850.pdf) in 2017, 34.6 percent of Japanese companies said that risk visualization is challenging or insufficient. The ratio is higher in Japanese companies than in American (32.4%) or European companies (27.9%). Unless business risks are assessed or visualized, it is impossible for business leadership to determine how much in the way of resources to invest in to accept, avoid, mitigate, or transfer each of their business risks. Resources that are limited in quantity will be wasted.

[An Indian folk tale about six blind men and an elephant](https://www.peacecorps.gov/educators/resources/story-blind-men-and-elephant/) is applicable to cybersecurity and business risk management. The six men touched different parts of an elephant and pictured the elephant is like a wall, snake, spear, huge fan, cow, or rope. None of them obtained a whole picture of the huge animal because they did not have complete information about it. Luckily, the animal they were touching was a gentle elephant. Were it a lion, touching would not have been a good idea.

What actions, then, should business executives, especially in Japan, take now?

* Review your business risks and understand what kinds of risks your organization currently faces.
* Talk to your CISO and his or her team to share cyber risk findings and decide on which actions to take, whether from the stance of acceptance, avoidance, mitigation, or transfer.
* Prioritize business risks that require immediate action to avoid, transfer, or mitigate them and decide on how much in the way of resources should be spent on each risk.
* Since C-suites need to balance between usability, security, and budgets, consider applying automation, such as defense and the integration of cyberthreat intelligence, to maximize efficiency and effectiveness.
* Review your business strategy and revise it to reflect the cyber risk findings to maximize business value for your organization, customers, and partners.

It is indispensable to have a whole picture of business risks to optimize the use of limited resources to manage them. Every organization needs to have good decision-making on business risk management, and only people can do it. This step is a great opportunity to increase your business value.

*** ** * ** ***

## Related Blogs

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### Japan's New Cybersecurity Strategies Have the Right Priorities in Mind](https://www.paloaltonetworks.com.au/blog/2017/11/cso-japans-new-cybersecurity-strategies-right-priorities-mind/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### Highlighting Japan-India Cybersecurity Cooperation in the "Confluence of the Two Seas"](https://www.paloaltonetworks.com.au/blog/2017/09/cso-highlighting-japan-india-cybersecurity-cooperation-confluence-two-seas/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown)

[#### Palo Alto Networks Day Japan 2017: Evolving Cybersecurity Efforts to Increase Trust in the Digital Age and Prevent Cyberattacks](https://www.paloaltonetworks.com.au/blog/2017/09/cso-palo-alto-networks-day-japan-2017-evolving-cybersecurity-efforts-increase-trust-digital-age-prevent-cyberattacks/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### Japan's Cybersecurity Capacity-Building Support for ASEAN -- Shifting From What to Do to How to Do It](https://www.paloaltonetworks.com.au/blog/2017/07/cso-japans-cybersecurity-capacity-building-support-asean-shifting/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### A Seat at the Table: How Countries Like Japan Can Be More Visible in Cybersecurity Discussions](https://www.paloaltonetworks.com.au/blog/2017/06/cso-a-seat-at-the-table-how-countries-like-japan-can-be-more-visible-in-cybersecurity-discussions/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### How Japan Is Aiming to Close the Cybersecurity Skills Gap Before Tokyo 2020](https://www.paloaltonetworks.com.au/blog/2017/05/cso-japan-aiming-close-cybersecurity-skills-gap-tokyo-2020/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language