Why Humans Still Matter Most in Cybersecurity — Insights from Psychologist Andero Teras

Technology continues to advance at incredible speed, yet one reality remains unchanged: humans are still the first and last line of defense in cybersecurity. In this CyberCast episode, psychologist and leadership trainer Andero Teras explores why the human mind—its habits, shortcuts, biases, and communication patterns—shapes cyber risk far more than any tool or system.

What emerges is a compelling perspective: if we want stronger cybersecurity, we must first understand how people actually think and behave.

PS! This episode was recorded during Nordic-Baltic Security Summit 2026

The Brain: Powerful, Efficient, and Prone to Shortcuts

The human brain is astonishingly efficient. It processes information, makes decisions, and forms complex mental models using only around 20 watts of energy. But this efficiency comes with trade-offs. To conserve energy, the brain relies on mental shortcuts—heuristics—that help us make fast decisions.

In the physical world, these shortcuts often serve us well. Online, however, they can betray us. The digital environment lacks the sensory cues our ancestors relied on. There is no sound, no smell, no physical presence. As a result, the internet feels abstract, and our natural risk-detection systems struggle to interpret it.

This gap between ancient wiring and modern threats creates vulnerabilities attackers know how to exploit.

Why Storytelling Is Essential in Cyber Awareness

Because digital threats are so abstract, Andero argues that cybersecurity professionals must become excellent storytellers. People don’t respond meaningfully to code snippets or technical warnings—they respond to narratives.

A story can turn an invisible risk into something real. It can make a phishing attack relatable, a data breach understandable, and a security habit meaningful. Storytelling has always been at the core of human learning, from cave fires to corporate training rooms. In cybersecurity, it is not an optional skill but a necessary one.

Cognitive Bias: The Hidden Driver of Risky Decisions

Much of everyday cybersecurity behavior—good and bad—can be traced back to cognitive biases. These biases are the brain’s way of simplifying information, but in the wrong context, they lead to poor decisions.

For example, people tend to trust things that look polished or professional, even when that appearance is manufactured. They seek information that confirms their beliefs, which can make malicious messages feel legitimate. They assume that when others make mistakes, it’s due to incompetence, but when they make mistakes, it’s just bad luck. These biases create a false sense of confidence and reduce caution.

Understanding these mental patterns doesn’t mean blaming individuals. Instead, it helps leaders design systems, training, and communication that work with human psychology, not against it.

Micro-Habits: Small Steps That Drive Real Change

Large-scale behavioral change rarely works—but micro-habits do. According to Andero, meaningful improvement often comes from tiny, repeatable actions that are easy to adopt and maintain.

A brief pause before clicking a link, a moment taken to verify an email address, or the simple habit of questioning one’s assumptions can significantly reduce risk. These micro-actions deliver quick feedback and create momentum. They gradually shape a culture of awareness without overwhelming people.

Security teams often focus on technology upgrades because they are quick to implement. But transforming human behavior requires patience, consistency, and structure. Micro-habits provide exactly that.

The Power of Debriefing

In many high-stakes fields—such as aviation and engineering—teams rely on regular debriefs to examine what worked, what didn’t, and why. Andero believes cybersecurity can benefit greatly from this practice.

A well-run debrief allows teams to analyze their assumptions, understand the root causes of mistakes, and refine their mental models. It normalizes continuous learning and helps people see patterns in their own thinking. Over time, this creates a more resilient and self-aware team culture.

When asked for one practical technique leaders can adopt immediately, Andero highlights closed-loop communication. This simple method ensures that instructions are heard, repeated, and confirmed. It dramatically reduces misunderstandings—the kind that often lead to configuration errors, missed alerts, or accidental exposures.

Closed-loop communication requires only a few seconds, yet its impact on clarity and precision is enormous. It is widely used in aviation and medicine, and it can be just as transformative in cybersecurity.

****

This episode reframes cybersecurity as a deeply human discipline. Technology will continue to evolve, but human behavior will always shape how systems are used, how decisions are made, and where vulnerabilities emerge.

By understanding how the brain works, recognizing cognitive biases, encouraging micro-habits, and improving communication, leaders can build teams that are not only more secure but more thoughtful, aware, and aligned. Cybersecurity is no longer just about tools—it’s about people. And as Andero reminds us, when people understand themselves better, they can defend better.