INSIGHT DETAIL
Modern Cyber Risk Management Models with the Zero Trust Security Approach
In modern cybersecurity architectures, threats primarily stem from two main sources:human error and system (software/infrastructure) vulnerabilities.

In cybersecurity, it's usually both.
When trying to find the cause of a security attack, people often ask: Was it the employee who clicked the link? Was it the software team that overlooked a vulnerability?
Was the cloud environment misconfigured? But the issue is often deeper
A phishing attack can reveal credentials. Excessive account permissions can provide access to highly confidential information. Leaving a server unpatched can allow attackers to penetrate deeper into the network later. Human error and technical vulnerabilities are different risks, but whatever the cause, the attacker uses the vulnerabilities they find to carry out their attack.
An organization’s digital environment used to be easier to define. Employees worked from company offices, applications ran on internal servers and access was largely controlled through the corporate network.
That boundary has almost disappeared.
Today, employees connect from different locations and devices. Data moves between cloud platforms, mobile applications, third-party services and external partners. User permissions change as people join teams, move between roles or leave the organization.
This flexibility is valuable, but it creates a security environment in which trust is harder to manage.
A company may have strong security tools and still be exposed because an old account remains active. A well-trained employee may still make a mistake when faced with a convincing request during a busy working day. A secure application may depend on a vulnerable third-party component.
There is no single control that solves all of these problems.
Security has to account for the way people actually work and the way systems actually fail.
It is easy to blame users after an incident.
Someone opened the attachment. Someone approved the request. Someone stored a file in the wrong place.
That explanation may be accurate, but it is rarely complete.
People often make unsafe decisions because the process around them is unclear or badly designed. A security warning may be too technical to understand. An approval process may take so long that employees start finding ways around it. Access rights may be so complicated that managers approve permissions without knowing exactly what they include.
The user may make the final mistake, but the organization may have created the conditions for it.
Common user-related risks include:
The seriousness of the mistake depends on what is exposed.
A compromised social media password is a problem. A compromised administrator password is a different kind of problem entirely.
The same applies to crypto wallets. A recovery phrase stored in an email account or cloud folder may give an attacker direct access to every asset linked to that wallet. There may be no reset process and no central authority able to reverse the transaction.
The action itself may take only a few seconds. The consequences can be permanent.
Social engineering is the latest evolving threat.
Social engineering works because it doesn't start with code. It starts with context, often built using OSINT (open-source intelligence) gathered about the target.
The attacker is attempting to map out what they think the target expects to see.
For example, a finance employee may see an email that appears to be from a senior manager saying they need help.
A customer might be tricked to open a message appearing as if it was from the bank.
An employee could receive a phony password reset alert that mimicked the organization's real login page.
The likely patterns to these attacks are pretty common:
Urgency, Authority, Fear, Curiosity, Familiarity
The intent is to never let the target pause long enough to stop and even think about what they ask of them.
This has made it much easier for attackers to do with the help of artificial intelligence. Early warning signs of this were poor grammar and generic wording. Now these are much less reliable.
For example, write messages that sound natural considering the target's position and providing information obtained through public sources. Fake requests can then take the form of a voice clone or using manipulated images disguised as real member employees like executives.
That does not mean every employee should be trained to become a forensic investigator. Instead, organizations need verification processes that are clearer and more reliable.
Never trust a request for money, sensitive data, or access rights just because the message looks genuine. There should always be another way to confirm it.
But process matters just as much as awareness.
Openings Made by Technical Vulnerabilities
The human behavior is only one part of the issue.
Software, networks and infrastructure have their own vulnerabilities. Some are introduced during development. Others show up due to an improperly configured, unpatched or misconnected service that was never subjected to a proper review.
Technical vulnerabilities may include:
A vulnerability does not always translate a breach every time. It creates an opportunity.
Whether an attack succeeds depends on the system being attacked, how far the attacker manages to gain access, and the security controls in place.
For example, a bug in a less-critical internal tool may have negligible consequences. However, a similar vulnerability in an authentication platform or VPN service of choice or other ubiquitous enterprise application could compromise a large segment of the organization.
This risk becomes even more severe when a number of companies depend on the same product.
What makes a vulnerability in commonly used software an easy target for attackers is that once they have successfully exploited it, the same trick can be carried out thousands of times across hundreds or more separate installations.
They are no more attacking a singular company. They are targeting a shared vulnerability.
Not All Incidents End With A Patch
Upon vulnerability discovery, our natural instinct is to patch as soon as possible.
That is important but that alone will not suffice.
A patch closes the vulnerability. It does not tell the organization whether the vulnerability had already been exploited.
The attacker may have created one or more other accounts, changed a configuration option, installed a backdoor or copied sensitive data that still has not been detected before the necessary patch is applied.
Those actions are not removed just by fixing the original weakness.
Please note that security teams need to ask two different questions;
Has the vulnerability been corrected?
Was the environment compromised before it was corrected?
The second question, quite frequently is more difficult.
This involves checking logs for unusual account activity, changes to systems or network connections and signs of persistence. If this investigation is not done, then an organization may think the incident has finished while the attacker can still access.
During this time, temporary measures may be necessary. A vulnerable service could be isolated, or a WAF rule could be used to block a certain type of request. Until the system can be tested properly, access may be limited.
These are useful measures, but they should be seen as a way to buy time for the much-needed long-term solution rather than being that permanent solution.
One Attack Path that was Commonly Made Up of Human and Technical Risk
Consider a simple example.
A message arrives in the inbox of an employee apparently coming from a trusted service. They click on the link and type their password into a forged page.
This is the human aspect of this accident.
The attacker logins with the stolen credential. An employee picks up permissions from their past role, and the account has more access than needed because it was never reviewed after a previous change.
This is now an access management issue.
The attacker then discovers that an internal application is running vulnerable software and uses it to gain a higher level of access.
That is a technical vulnerability.
Because network segmentation is weak, the attacker is able to move from one environment to another, reach employee workstations, and extract sensitive data from a different system.
That is an architectural weakness.
Which part caused the breach?
The truth is any of them could be argued.
This is why security strategies built around a single explanation tend to fall flat. Patching alone does not fix a fraudulent payment that has already gone through. No amount of advanced detection can prevent damage caused by excessive access permissions. Real protection comes from layering multiple, independent controls, not relying on any single one.
Security systems generate large volumes of data. The challenge is not simply collecting more alerts. It is understanding which activity is unusual and why it matters.
A login from a new device is not necessarily malicious. A login from a new device, in another country, followed by a large data download may deserve immediate attention.
An administrator changing a configuration is normal. An administrator changing several critical systems at an unusual time may not be.
Useful sources of information include:
The value comes from connecting these signals.
An IAM log may show a successful login. A DLP alert may show that the same account downloaded an unusual amount of data. A network record may show a connection to an unfamiliar destination.
Seen separately, each event may appear manageable. Seen together, they may reveal an active compromise.
This is also where behavior analysis becomes useful. Security teams need to understand what is normal for a particular user, account, device and system. Without a baseline, unusual activity is much harder to recognize.
Respond to the Incident, Not Just the Mistake
When a user account is compromised, resetting the password is an obvious first step.
It should not be the last.
Active sessions may still be open. Authentication tokens may remain valid. The attacker may already have accessed other applications or created a new method of entry.
A proper response should determine:
What the account accessed? Which actions were performed? Whether data was downloaded or changed? Whether permissions were modified? Whether other accounts or systems were affected? Whether the attacker established persistent access?
The same principle applies to user education
Telling an employee to “be more careful” may feel like a response, but it does not explain why the incident occurred.
Was the phishing message unusually convincing? Was the login page difficult to distinguish from the real one? Was there no second verification step? Did the account have access it did not need?
The incident should be used to improve the system around the user, not simply to assign blame.
The goal is to reduce the probability and harm of dangerous errors.
That requires a combination of education, access control and practical design.
Useful measures include:
If employees are forced to complete an unnecessarily complex process every time they access a routine system, they will eventually look for shortcuts.
If password rules are impossible to remember, passwords will be stored somewhere unsafe. If an approval takes several days, accounts may be shared to keep work moving.
A security process that people cannot realistically follow is not a strong process.
The safest option should also be the easiest option whenever possible.
Build Security into the System, Not Around It
Adding controls after a system has been developed usually creates more cost, more complexity and more gaps.
By that stage, important architectural decisions may already be difficult to change.
Security by Design means asking security questions early:
How will users prove their identity? What access will each role require? Where will sensitive information be stored? How will actions be logged? What happens if a component fails? How will the organization update or isolate the system? Which third-party dependencies are involved?
These questions should be part of development, not a final checklist before launch.
Practical controls may include:
A Secure Software Development Life Cycle
None of these controls is sufficient on its own.
The goal here is not to find a perfect defense, but to ensure that the failure of one defense does not jeopardize the entire system.
Good security does not depend on every person, tool or system working perfectly. It depends on making sure that one mistake does not become a full-scale incident.
Disclaimer
This article is intended to provide a general perspective on human error, technical vulnerabilities and cybersecurity risk. It should not be treated as legal, regulatory or technical advice. Every organization has a different security environment, so risks and controls should always be assessed according to its own systems, operations and responsibilities.