By Chuck Gallagher — Business Ethics Keynote Speaker and Trainer
TL;DR: Around 60 percent of breaches involve a human element, and Chuck Gallagher, business ethics keynote speaker, argues the fix is not more training videos but better systems that remove the opportunity for bad choices. Cybersecurity is being treated as a technology problem when it is really an ethics and culture problem. Until leaders own that, the breach numbers will keep climbing.
A help-desk employee at MGM Resorts answered the phone in September 2023, heard a voice that sounded credible, and reset a set of credentials. Ten days of operational chaos followed. Slot machines went dark, hotel keys stopped working, reservations collapsed. MGM later put the impact at roughly $100 million for the quarter, and Caesars Entertainment, hit by the same crew through the same kind of social engineering, reportedly paid about $15 million to keep stolen customer data off the internet. No firewall failed. No zero-day exploit. Two phone calls, two human decisions, and two billion-dollar companies on their knees.
A recent piece from OutThink, “Human-Centric Cybersecurity: Why Secure Behaviour Is the New Security Perimeter,” makes the case that the perimeter is no longer the network. The perimeter is the person. Verizon’s 2025 Data Breach Investigations Report puts the human element in roughly 60 percent of breaches, and Gartner has elevated Security Behaviour and Culture Programs (SBCP) to a defining cybersecurity trend for the next several years. The piece argues that organizations should stop pretending technology will solve a problem rooted in human decision-making. I agree with the diagnosis. I want to push the prescription further.
As a business ethics keynote speaker, I have spent more than two decades arguing that nearly every catastrophic failure inside an organization, from accounting fraud to data breaches, traces back to the same three ingredients: need, opportunity, and rationalization. The OutThink piece focuses on behavior. Behavior is the visible part. Underneath the behavior is a set of choices, and underneath the choices is a culture that either makes the right thing easy or makes the wrong thing convenient. If you only treat the behavior, you are bandaging a symptom.
What Is the Real Root Cause When a Human Clicks the Wrong Link?
The OutThink article references Daniel Kahneman’s work on fast and slow thinking, and the connection to security failures is exactly right. Under deadline pressure, employees default to the fast, automatic mode, the one that responds to urgency, familiarity, and authority without stopping to verify. Attackers know this. That is why vishing works. That is why a help-desk employee at MGM did not pause. The attacker did not have to break a system. The attacker had to read a person.
Here is where I push past the article. Behavior under pressure is shaped by what the organization tolerates on calm days. If your culture rewards speed over verification, your employees will trade verification for speed when the pressure rises. If senior leaders skip multifactor authentication because it is annoying, the rest of the company will read that signal and act accordingly. Culture is not what is written in the policy. Culture is what leaders do when no one is watching, and what employees see leaders do when everyone is watching.
Why Training Alone Fails, and What Removing Opportunity Actually Means
I have written a great deal about removing opportunity as the most controllable variable in ethics. You cannot fully control whether an employee is going through a divorce, dealing with a sick parent, or drowning in credit card debt. You can control whether that employee has unsupervised access to wire transfer authority. The same logic applies to cyber. You cannot make every employee a security expert. You can design a system where the cost of a single rushed decision is contained.
OutThink describes the PIPE framework: Practices, Influencers, Platforms, Enablers. That is a useful scaffold. I would add a fifth element that the cybersecurity field tends to underweight: accountability at the top. When a breach happens, the security awareness team gets blamed and the help-desk employee gets coached. The CEO who underfunded the program for three years stays on stage at the next earnings call, talking about resilience. As an AI speaker and author who watches these patterns play out across industries, I can tell you the breach economics will not change until the accountability does.
What Leaders Should Do on Monday Morning
The OutThink piece points to measurable indicators that matter, including reporting speed, phishing simulation response patterns, and willingness to flag mistakes without fear. I would underline that last one. A culture built on blame buries risk. A culture built on transparency surfaces it while there is still time to act. I have argued at ChuckGallagher.com for years that the strongest signal of a healthy organization is how quickly bad news travels upward. If your help-desk employee is afraid to admit they reset a credential they should not have, you will learn about it from a ransomware note instead.
Treat security behavior the way you would treat any other ethical behavior. Make the right action the easy action. Make the wrong action friction-heavy. Reward people who report and who pause. Hold leaders accountable for the systems they fund, not just the slogans they post. Then watch the breach numbers move.
Frequently Asked Questions
What does human-centric cybersecurity actually mean?
Human-centric cybersecurity is an approach that designs security around how people actually behave under pressure rather than how policies assume they will behave. According to Verizon’s 2025 Data Breach Investigations Report, roughly 60 percent of breaches involve a human element, which means technical defenses alone cannot close the gap. The approach integrates psychology, organizational culture, and technology rather than treating security as purely a technical problem.
Why are leadership and culture central to cybersecurity outcomes?
Leadership behavior signals what an organization actually values, regardless of what the policy manual says. Research cited by Gartner in its identification of Security Behavior and Culture Programs as a key trend shows that employees mirror what senior leaders do, not what they post. As Chuck Gallagher, business ethics keynote speaker, has argued, culture is set from the top, and a leader who skips security steps is teaching everyone else to skip them too.
What is a Security Behavior and Culture Program (SBCP)?
An SBCP is a structured initiative, identified by Gartner as a defining cybersecurity trend, that aims to change employee security behavior continuously rather than through annual training. It typically uses a framework such as PIPE, which stands for Practices, Influencers, Platforms, and Enablers. The goal is to make secure behavior part of normal work rather than an interruption to it.
What did the MGM Resorts breach actually teach the industry?
The September 2023 attack by the Scattered Spider group used vishing, a voice phishing technique, to convince an IT help-desk employee to reset privileged credentials. No technical vulnerability was exploited. MGM estimated roughly a $100 million quarterly impact, and the attack disrupted hotel operations for about ten days, demonstrating that one social engineering call can cripple a multibillion-dollar enterprise.
How should boards measure whether security culture is improving?
Boards should track behavioral metrics rather than awareness scores. Useful indicators include the speed at which employees report suspicious messages, how phishing simulation response rates change over time, and whether employees feel safe admitting mistakes without retaliation. These behavioral signals predict breach exposure more reliably than completion rates on annual training modules.
I would like to hear from you. If you sit in a leadership seat or carry security responsibility inside your organization, what is the single biggest cultural barrier you are running into when you try to make secure behavior the default? Drop your thoughts in the comments. The conversation is more valuable than any monologue I could give. To go deeper on the questions this raises, here are five worth sitting with.
Five Questions for Further Thought and Consideration
- If a breach traced back to a rushed decision by a junior employee, would your organization examine the conditions that produced the rush, or would it stop at coaching the employee?
- What does your senior leadership team actually do when a security control feels inconvenient, and what message does that send to everyone else?
- How quickly does bad news travel upward in your organization, and what would have to change to make it travel faster?
- Are you investing in tools because they are visible to the board, or because they meaningfully reduce human risk?
- If your help-desk employees were polled anonymously tomorrow, would they say they feel safe reporting a mistake the moment it happens?
Join the conversation
If you sit on an executive team or a board, I want to hear from you in the comments below. When was the last time your organization treated a near-miss security event as a culture diagnostic rather than an IT incident? The honest answers to that question tell you more about your true cyber posture than any audit report. Share your perspective, push back if you disagree, and use the questions below to start a conversation inside your own organization.
Five Questions for Further Thought and Consideration
- If a junior employee on your team noticed a cybersecurity gap tomorrow, would they tell their manager within an hour, within a week, or never at all — and what does that answer reveal about your culture?
- Where in your incentive structure does speed or revenue quietly compete with security, and who is accountable when those two pressures collide?
- How would your organization respond if a deepfake of your CEO authorized a fraudulent transaction — and have you ever walked through that scenario as a leadership team?
- Which of your critical vendors have you actually audited for cybersecurity posture, and which have you simply trusted because the contract said you should?
- If your most material long-lived data were stolen today and decrypted in 2032, what would the consequences be — and what are you doing about post-quantum encryption right now?
Related Articles:
Why Politicians Won’t Fix the Laws That Let Them Profit
White-Collar Crime Without Punishment: A View From the Inside
