It’s time cyber security understood human behavior and acted accordingly

Despite decades of investment in cyber awareness, organizations continue to suffer breaches that don’t stem from technical failures but from predictable human behavior under pressure.

For years, security strategies were centered around building a strong digital perimeter. Firewalls, intrusion prevention systems, and endpoint protection were designed to create a defensible boundary. Yet today, attackers rarely need to break through those defenses. Often, they now just need to ask for access.

With cloud platforms and SaaS tools now at the heart of most businesses, the idea of a fixed network edge has all but disappeared. The new perimeter resides in identity platforms, collaboration tools, and – most importantly – the everyday decisions of employees.

Crucially, those employees are prone to lapses in judgment and concentration. On a typical day, staff members face distractions, interruptions and urgent demands, pulling them in every direction. People rely on mental shortcuts to cope with complexity and cognitive overload.

Psychologist Daniel Kahnemann has described this as fast thinking, essential for the demands and pace of our digital workloads. People act quickly to be helpful, respond to messages to keep work moving, trust familiar names, urgent requests and the tools that they rely on every day.

For threat actors, it’s something to pray on. Social engineers know that they can successfully exploit these human traits by hijacking the trust and sense of urgency that people naturally exhibit.

And they are doing so with great success. M&S, for example, publicly stated that the cyber attack it suffered last year, costing the retailer approximately £300 million, was the result of “human error”.

1% of users accept simple MFA prompts on the first try

It’s expected that the threat of attackers exploiting human behaviors is only set to increase moving forward. In its 2026 Global Cybersecurity Outlook, the World Economic Forum (WEF) states that cybercriminals are now weaponizing AI models to manipulate human trust with greater effectiveness in an effort to gain access to victims’ systems.

In addition, the WEF report also states that these capabilities represent a substantial evolution in the threat landscape, requiring more advanced and adaptive defense mechanisms.

There is no question that Multi-Factor Authentication (MFA) has become a foundational security requirement within that mix, supplementing the username and password model with additional factors to identify genuine users.

Traditionally, MFA has involved sending a prompt to a device that only a specific user owns, such as one sent to a mobile phone. As threat actors continue to look for the path of least resistance, MFA bombing has become prolific, in which repeated MFA prompts are sent to trick or irritate victims into granting them access to accounts.

It’s an attack method that again seeks to exploit human psychology rather than technical vulnerabilities. After a victim’s username and password are obtained, through methods like phishing or buying leaked credentials on the dark web, automated tools are then used to trigger a flood of MFA approval requests.

Overwhelmed, fatigued or frustrated by these push notifications, users may either immediately or eventually accept the request without considering whether it’s genuine.

With just one MFA-approval – a single click – the door to customer data, payment details and critical operational systems could be flung wide open, potentially leaving victims exposed to ransomware demands, online disruption, lost sales, damaged reputation and regulatory fines.

Addressing human error

Yet, even with the strongest technical defenses, humans remain a critical factor in cyber security.

Humans are often deemed to be both the first line of defense and weakest link in cybersecurity for a reason: in Verizon’s Data Breach Investigations 2025 Report (DBIR), human behavior (such as social engineering, credential misuse and unintended actions) was involved in around 60% of breaches - showing that people still play a major role in how breaches occur.

Cybersecurity is, therefore, in many ways no longer just a case of protecting systems, but informing decisions.

Mitigating the potential for those errors, mistakes, lapses in judgement, or oversights is therefore crucial, and that starts with proper education, training and awareness, ensuring that employees can recognize MFA-related threats.

Every employee needs to be aware of the risks associated with approving suspicious login requests – if you receive an unexpected prompt, deny it, and report it to your IT department immediately.

Implementing enhanced MFA controls

With that said, it is impossible for organizations to eliminate human error in its entirety. Therefore, an authentication with greater capabilities may need to be implemented to reduce the potential for MFA bombing to result in breaches.

Last year, several national and international cybersecurity bodies put out a joint advisory advocating that these be adopted on a broad basis, highlighting the need for organizations to move beyond basic controls and adopt phishing-resistant MFA.

The vulnerabilities associated with simple “click to approve” or “enter your PIN to approve” requests that are more susceptible to MFA bombing and MFA fatigue can, therefore, be eliminated.

Specifically, context-based access controls are used to analyze additional factors about a login attempt. This can include the location of login attempts; the device, operating system and browser used; and the user’s typical behavior – for example, the time the user usually takes to authenticate.

By combining multiple authentication proof points, enhanced MFA can make smarter authentication decisions, flag suspicious logins, and ensure low-risk ones proceed without requiring additional verification.

On top of this, the addition of FIDO2 security or biometric controls can further protect against MFA bombing. Utilizing a device-bound, phishing-resistant method of authentication can prevent cybercriminals from stealing or intercepting login credentials, even if an employee is tricked into entering them on a fraudulent website.

Origin binding is one example of this. This binds credentials to a specific website domain (e.g., yourwebsite.com). If an employee is tricked into trying to log into a fraudulent variation of the site (e.g., your-website.com), the cryptographic check will fail automatically, and their credentials cannot be used.

Make sure that the solutions you adopt are easy to use

Ultimately, these various enhanced MFA features are designed to support safe user behavior.

By embracing and deploying enhanced, phishing-resistant MFA, organizations can add a layer of friction between humans and social engineering, making it significantly harder for threat actors to exploit fast thinking, instinctual responses, and making it much easier for users to act securely.

When a single click can cost a company millions, it pays to invest in behavior-aware security today. However, ensuring you select the right tools for the job is important.

Like any security measure, enhanced MFA protocols shouldn’t slow people down. Indeed, if adhering to them is cumbersome, complex or time-consuming, then employees will quickly look to find ways to circumvent them.

With that in mind, firms must adopt enhanced MFA solutions that are easy to install, easy to use and highly secure. Get that combination right, and you’ll be well placed to protect critical systems, data and business operations from the growing threat of MFA bombing and access-based attacks.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro