The value of Human Capital
The concept of human capital, which dates back to Adam Smith (1776), identifies investment in individual education and training as a critical resource that may be more significant than traditional capital or natural resources. Research confirms that organisations that care about their employees and make them feel appreciated perform better. Human capital is positively related to employee performance, as well as organisational effectiveness and growth. Employees’ contribution through knowledge, skills, abilities, and qualities have a strong relationship with their health and well-being.
The high cost of stress
Cybersecurity is an increasingly complex work field with lots of different functions and mounting pressure. Despite the widely recognised value of human capital, cybersecurity is plagued with practices that misuse this vital resource. The consequences are serious: people perform worse at their jobs, the organisation’s overall results suffer, staff turnover rises, the quality of work declines, and absenteeism increases. The core problem driving this erosion is stress, and independent research confirms that overall work stress levels have increased notably in the last decades, predominantly driven by psychological pressures.
The crisis among cyber leaders
Chief Information Security Officers (CISOs) epitomize the problem. Surveys indicate that nearly 90% report high stress, 60% rarely disconnect from work, and 17% rely on alcohol or medication to cope. Many work long hours and last only one to two years before burning out.
The role carries enormous responsibility but limited authority and resources and is often poorly defined. CISOs are expected to translate complex risk into board-ready language, justify budgets, manage crises, and enforce compliance. Interviews with board members suggest a pattern of shifting accountability onto the CISO, rather than sharing it across leadership.
This is short-sighted. Digital transformation is not just about technology; it is an organisational change. It is the responsibility of business leaders to build security into the organisation’s fabric. That means empowering the CISO instead of offloading the burden, clarifying the mandate, backing it with resources, and investing in both technology and people to reduce the daily friction CISOs face.
Culture makes matters worse. Cybersecurity often adopts militaristic, masculine norms that prize toughness, vigilance, and perfection. Admitting fatigue or uncertainty is treated as weakness, and professionals are expected to project confidence despite constant setbacks. Over time, this performative strength becomes exhausting and unsustainable.
Frontline reality and relationship breakdown
Cybersecurity doesn’t just burden cyber leaders; it affects everyone responsible for upholding it day to day. IT and security teams often enforce controls that slow their own work. Complex authentication, frequent timeouts, and constant updates can make security feel like friction. A single breach incident can leave a psychological scar that lasts for years.
Although security should be a shared effort, poor communication, mismatched expectations, and a culture of blame strain relationships between IT and the rest of the organisation. “Security champions” rarely bridge that gap when they’re undertrained or lack support. Meanwhile, SOC analysts face rising burnout, driven by limited automation, repetitive work and a fixation on metrics over meaningful outcomes.
Employees and Security-Related Stress
Security even creates stress for employees at every level, a phenomenon known as Security-Related Stress (SRS). Heavy workloads, constant pressure, and friction from IT systems and cybersecurity rules reduce productivity. They also weaken security itself: when inboxes overflow and work piles up, people are more likely to click on phishing emails.
Simulated phishing campaigns, now a thriving industry, aim to build vigilance but rarely achieve lasting results. Employees who “fail” these tests often report higher stress and embarrassment. While security training remains essential, neuroscience shows that learning under stress harms memory and retention. Language matters too: training that relies on English terms may not resonate or be understood on, for example, a German factory floor.
The systemic roots of the problem
The challenges facing CISOs, analysts, and everyday employees share a number of root causes.
The first is accountability. Policy makers and governments increasingly shift cybersecurity responsibility onto organisations and individuals. Citizens and businesses are told to protect themselves through certifications and self-regulation, yet many lack the resources or expertise to do so. When they fall short, policymakers blame them rather than acknowledging structural limits. The result is frustration, scepticism, and stagnation, ultimately weakening collective resilience.
A second cause are ineffective measures providing false comfort. Cybersecurity efforts too often default to measures that are visible rather than effective. From “security theatre” (cosmetic or psychological signals that create a false sense of safety) to “rational astrologies” (following familiar requirement or doing something to avoid admitting uncertainty), these actions appear reasonable to decision-makers but deliver little real protection. They consume time, money, and attention that could be invested in genuine risk reduction.
And finally, there is the “compliance mindset”. When security becomes “box-ticking,” organisations chase external certifications instead of continuous improvement. This erodes the feedback loops needed for learning and adaptation. The result: staff lose curiosity, leaders lose insight, and systems stagnate while remaining vulnerable
A better way forward
Cybersecurity will not be realised by technology alone. Firewalls can be breached, software can fail, and AI can be fooled but a motivated, capable, and trusted workforce can adapt to almost anything. Successful cyber defence very much hinges on robust human capital, and Prof. Sasse closed her presentation at BE CYBER 2025 by urging organisations and leaders to stop wasting it.
For security experts, this means investing in better IT and meaningful automation, easing stress while offering genuine growth opportunities, and securing visible, consistent engagement from leadership. For employees, the priorities are to reduce security friction, focus on changing behaviours rather than merely transferring knowledge, and avoid wasted time through targeted, concise communication. Change should be implemented one step at a time.
Ultimately, the goal is to provide accessible and meaningful support, moving away from ineffective, stressful strategies in order to build resilient, engaged, and well-supported human capital throughout organisations.
On the picture: Prof. Dr. M. Angela Sasse, Ruhr University Bochum
