As cyberattacks continue to make headlines, organizations often feel pressured to invest large amounts of money in cutting-edge technology to secure their systems. However, a new research article co-authored by Clinton School of Public Service faculty members states that human, organizational, and environmental factors are just as important as technological components when it comes to cybersecurity defense.
The article, “Mapping the landscape of cybersecurity preparedness: A systemic review of non-technological determinants and consequences,” will be published in the journal Technology in Society in December and is already available online.
The paper was co-authored by Assistant Professor Dr. Songkhun “Sunny” Nillasithanukroh and Associate Professor Dr. Robert Richards of the Clinton School and Dr. Chul Hyun Park, a senior research associate at the Clinton School and associate professor in the School of Public Policy at the University of Maryland. The co-authors also include Dr. Jaejong Baek and Dr. Gail-Joon Ahn from the School of Computing and Augmented Intelligence at Arizona State University.
The researchers argue that most existing cyber defense frameworks prioritize expensive technology while overlooking everyday factors, like leadership commitment, a lack of employee training, and information overload, that often contribute to security breaches.
“We tend to think about cutting-edge technology, but that costs a lot of money,” Nillasithanukroh said. “We want people to think about non-technological factors organizations can adjust without making costly investments in order to improve their defenses against cyberthreats.”
While most companies look for technological vulnerabilities, the most common cybersecurity breakdowns often occur at the human and organization level.
“Many institutions lack clearly defined roles, consistent planning, or a sustained security culture,” Park said. “These non-technical gaps can leave even well-equipped organizations vulnerable to preventable threats.”
The Gaps in Organizational Defense
The systematic review makes a compelling case that cybersecurity preparedness is a challenge that spans the entire organization, not just the IT department. It can be especially difficult for smaller organizations to tackle that don’t have the same resources, budget, or workforces as their larger counterparts.
“Cybersecurity isn’t just a technical challenge. Our review shows that relying solely on technological tools overlooks a crucial reality,” Park said. “Many breaches stem from miscommunication, lack of leadership, or organizational gaps. True preparedness requires aligning policies, people, and processes.”
For small businesses, local governments, and nonprofits, these non-technological factors represent low-cost, high-impact ways to improve security immediately. Nillasithanukroh points out that leadership buy-in is the essential first step.
“The leadership has to realize that cyberthreats are real and very prevalent, even among small businesses,” Nillasithanukroh said.
Practical Steps for Any Organization
The research outlines several practical, non-technical steps any organization can take:
- Prioritize Low-Cost Training: Organizations should provide employees with regular training, leveraging free resources available online, even if they lack significant financial resources.
- Prevent Cognitive Demand: While security measures like frequent password changes are necessary, Nillasithanukroh warns against pushing too many security burdens onto employees, which can lead to employee resentment and compliance fatigue.
- Break Down Silos: The research found that information silos between different departments can significantly increase cyberthreats. Clear communication and collaborative security planning between departments are essential to keeping an organization secure.
- Build Partnerships: Small organizations can partner with larger institutions or leverage public-private partnerships that can provide cybersecurity resources they could not afford alone.
Park offers a hands-on starting point for executives: “A practical first step is to run a tabletop exercise involving leadership, IT, and non-IT teams. Simulating a cyber incident clarifies responsibilities, stress-tests response plans, and reveals gaps—before a real crisis occurs.”
The High Cost of Complacency
The consequences of neglecting non-technological factors in cybersecurity defense extend far beyond the direct financial cost of an attack.
According to Nillasithanukroh, a successful cyberattack can result in the loss of critical data and necessitate significant funds for recovery, potentially forcing small businesses to cease operation. For government and nonprofit entities, the damage can be even more severe.
“If it becomes public knowledge that your organization has become compromised, people might view your business negatively and no longer do business with you,” he said. “If it’s a government or nonprofit, the damage runs deeper. It can erode public trust in local governance, ultimately affecting their ability to serve the community.”