The influence of the human factor in decision-making in cyber security exercises

DOI: https://doi.org/10.3846/mla.2025.25252

Abstract

Cybersecurity is an interdisciplinary field that encompasses aspects of information technology, forensics, incident management, and the human factor. In cyber security, decision-making is influenced by the specialist’s technical knowledge, competencies, and professional experience. However, decisions made in extreme and complex situations are influenced by emotions, motivation, social skills, and cognitive abilities. Therefore, this paper investigated the human factor influencing decision-making of participants in cyber security exercises, and proposed a multidimensional decision-making framework. A study conducted by analyzing the data of the cyber security exercise “Amber Mist” showed that an integrated assessment of technical competencies and the human factor allows for a more accurate determination of the decision-making of a cyber security specialist and its prediction. It was determined that when analyzing decision-making in cyber security exercises, it is necessary to take the human factor into account. The results of the study can be used to improve methodologies and programs for training cyber security specialists.

Article in Lithuanian.

Žmogiškojo faktoriaus įtaka priimant sprendimus kibernetinės saugos pratybose

Santrauka

Kibernetinė sauga – tai tarpdisciplininė sritis, apimanti informacinių technologijų, kriminalistikos, incidentų valdymo aspektus bei žmogiškąjį faktorių. Kibernetinėje saugoje sprendimų priėmimą veikia specialisto techninės žinios, kompetencijos, profesinės veiklos patirtis. Tačiau ekstremaliose bei sudėtingose situacijose priimamus sprendimus veikia emocijos, motyvacija, socialiniai įgūdžiai, kognityviniai gebėjimai. Todėl šiame darbe buvo tiriamas žmogiškasis faktorius, darantis įtaką kibernetinės saugos pratybų dalyvių sprendimų priėmimui, ir pasiūlytas daugiamatis sprendimo priėmimo karkasas. Atliktas tyrimas analizuojant kibernetinių saugos pratybų „Gintarinė migla“ duomenis parodė, jog integruotas techninių kompetencijų ir žmogiškojo faktoriaus vertinimas leidžia tiksliau nustatyti kibernetinio saugumo specialisto sprendimų priėmimą ir jį prognozuoti. Nustatyta, kad analizuojant sprendimų priėmimą kibernetinės saugos pratybose būtina atsižvelgti į žmogiškąjį faktorių. Tyrimo rezultatai gali būti naudojami tobulinant kibernetinės saugos specialistų rengimo metodologijas ir programas.

Reikšminiai žodžiai: kibernetinės saugos pratybos, žmogiškasis faktorius, sprendimų priėmimas.

Keywords:

cybersecurity exercises, human factor, decision making

How to Cite

Kulikauskaitė, K. (2025). The influence of the human factor in decision-making in cyber security exercises. Mokslas – Lietuvos ateitis / Science – Future of Lithuania, 17. https://doi.org/10.3846/mla.2025.25252

Share

Published in Issue
November 13, 2025
Abstract Views
85
PDF Downloads
45

License

Copyright (c) 2025 The Author(s). Published by Vilnius Gediminas Technical University.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

References

Barford, P., Dacier, M., Dietterich, T. G., Fredrikson, M., Giffin, J., Jajodia, S., Jha, S., Li, J., Liu, P., Ning, P., Ou, X., Song, D., Strater, L., Swarup, V., Tadda, G., Wang, C., & Yen, J. (2010). Cyber SA: Situational awareness for cyber defense. In S. Jajodia, P. Liu, V. Swarup, & C. Wang (Eds.), Advances in information security: Vol. 46. Cyber situational awareness (pp. 3–13). Springer. https://doi.org/10.1007/978-1-4419-0140-8_1

Colabianchi, S., Costantino, F., Nonino F., & Palombi G. (2025). Transforming threats into opportunities: The role of human factors in enhancing cybersecurity. Journal of Innovation & Knowledge, 10(3), 1–25. https://doi.org/10.1016/j.jik.2025.100695

Dykstra, J., & Lyn Paul, C. (2018). Cyber Operations Stress Survey (COSS): Studying fatigue, frustration, and cognitive workload in cybersecurity operations. National Security Agency (NSA). https://www.nsa.gov/portals/75/documents/news-features/news-stories/2018/measuring-stress-in-a-high-risk-environment/usenix_cybersecurity_ops_stress.pdf

Dutt, V., Ahn, Y. S., & Gonzalez, C. (2013). Cyber situation awareness: Modeling detection of cyber attacks with instance-based learning theory. Human Factors, 55(3), 605–618. https://doi.org/10.1177/0018720812464045

European Union Agency for Cybersecurity. (2023). Threat landscape 2023. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023

Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I. (2020). Multicriteria decision framework for cybersecurity risk assessment and management. Risk Analysis, 40, 183–199. https://doi.org/10.1111/risa.12891

Granåsen, M., & Andersson, D. (2015). Measuring team effectiveness in cyber-defense exercises: A cross-disciplinary case study. Cognition, Technology & Work, 18, 121–143. https://doi.org/10.1007/s10111-015-0350-2

Greitzer, F. L., Purl, J., Leong, Y. M., & Sticha, P. J. (2019). Positioning your organization to respond to insider threats. IEEE Engineering Management Review, 47(2), 75–83. https://doi.org/10.1109/EMR.2019.2914612

Hagen, R. A., Øverlier, L., & Helkala, K. (2025). Human factors in AI-driven cybersecurity: Cognitive biases and trust issues. Digital Threats: Research and Practice. https://doi.org/10.1145/3759260

Harren, V. A. (1979). A model of career decision making for college students. Journal of Vocational Behavior, 14(2), 119–133. https://doi.org/10.1016/0001-8791(79)90065-4

Yao, A., Huang, C., Zhang, W., Dong, C., Lu, M., Mao, J., Liu, X., & Li, X. (2025). Enhancing cyber defense strategies with discrete multi-dimensional Z-numbers: A multi-attribute decision-making approach. Complex & Intelligent Systems, 11, Article 216. https://doi.org/10.1007/s40747-025-01786-z

IBM Trust Center. (2022). Annual report. https://www.ibm.com/investor/att/pdf/IBM_Annual_Report_2022.pdf

International Organization for Standardization. (2023). Information technology — Information security incident management. Part 1: Principles and process (ISO/IEC Standard No. 27035-1:2023). https://www.iso.org/standard/78973.html

Khadka, K., & Ullah, A. B. (2025). Human factors in cybersecurity: An interdisciplinary review and framework proposal. International Journal of Information Security, 24, Article 119. https://doi.org/10.1007/s10207-025-01032-0

Kott, A., Wang, C., & Erbacher, R. F. (Eds.). (2014). Cyber defense and situational awareness. Springer International Publishing. https://doi.org.10.1007/978-3-319-11391-3

Langlois, P., Pinto, A., Hylender, D., & Widup, S. (2023). 2023 Data Breach Investigations Report: 10K 20K 30K. https://doi.org/10.13140/RG.2.2.32362.70085

Lietuvos Respublikos krašto apsaugos ministerija. (2023). Lietuvos kibernetinio saugumo būklės apžvalga: svarbiausia informacija 2023 m. https://kam.lt/wp-content/uploads/2024/06/KS-ataskaitos-2023-Santrauka-LT_final.pdf

Lietuvos Respublikos krašto apsaugos ministerija. (2024). Nacionalinė kibernetinio saugumo būklės ataskaita. https://www.nksc.lt/doc/Nacionaline-kibernetinio-saugumo-ataskaita-2024.pdf

Maennel, K., Brilingaitė, A., Bukauskas, L., Juozapavičius, A., Knox, B. J., Lugo, R. G., Maennel, O., Majore, G., & Sütterlin, S. (2023). A multidimensional cyber defense exercise: Emphasis on emotional, social, and cognitive aspects. Sage Open, 13(1). https://doi.org/10.1177/21582440231156367

Scott, S. G., & Bruce, R. A. (1995). Decision-making style: The development and assessment of a new measure. Educational and Psychological Measurement, 55(5), 818–831. https://doi.org/10.1177/0013164495055005017

Valstybinė duomenų apsaugos inspekcija. (2023). 2023 m. veiklos ataskaita. https://vdai.lrv.lt/lt/administracine-informacija/veiklos-ataskaitos/

Valstybinė duomenų apsaugos inspekcija. (2024). Pranešimų apie asmens duomenų saugumo pažeidimus (ADSP) apžvalga 2024 m. https://vdai.lrv.lt/lt/naujienos/asmens-duomenu-saugumo-pazeidimai-lietuvoje-2024-m/

Valstybinė duomenų apsaugos inspekcija. (2025). Pranešimų apie asmens duomenų saugumo pažeidimus (ADSP) apžvalga 2025 m. https://vdai.lrv.lt/lt/naujienos/asmens-duomenu-saugumo-pazeidimai-lietuvoje-2025-m-i-pusm-PJS/

Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. https://doi.org/10.1016/j.cose.2013.04.004

View article in other formats

  • PDF

CrossMark check

CrossMark logo

Published

2025-11-13

Issue

Vol 17 (2025): In Progress

Section

Information Technologies & Multimedia / Informacinės technologijos ir multimedija

Copyright

Copyright (c) 2025 The Author(s). Published by Vilnius Gediminas Technical University.

License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Kulikauskaitė, K. (2025). The influence of the human factor in decision-making in cyber security exercises. Mokslas – Lietuvos ateitis / Science – Future of Lithuania, 17. https://doi.org/10.3846/mla.2025.25252

Share