Skip to main content
Marsh logo

Article

The human element in cyber risk management: From mental health to proactive people-centric solutions

Explore how focusing on people and culture strengthens cyber risk management and builds resilience against evolving digital threats.

18/02/2026 · 6 minute read

The human factor is the critical and often overlooked driver behind 90% of cyber breaches, with mental health impacts from cyber incidents further exacerbating organisational vulnerability. People-centric solutions — such as integrating mental health support, personalised behavioural risk assessments, and culture-focused strategies — shift cyber risk management from reactive compliance to proactive resilience. By empowering employees and fostering supportive cultures, these approaches significantly reduce cyber risk and build sustainable organisational strength against evolving threats.

The context

In the rapidly evolving digital landscape, cyber risk management has traditionally centred on technological defences, compliance frameworks, and incident response protocols. Yet, despite sophisticated firewalls and advanced detection systems, cyber incidents continue to proliferate, often triggered or exacerbated by human factors. Data show that human error contributes to 90% of cyber breaches, underscoring the need to address the human factor within cyber risk management.

Increasingly, organisations recognise that the human element — employees’ behaviours, mental health, and organisational culture — is the critical frontier in managing cyber risk effectively.

This article combines the expertise and experience of Marsh and Mercer and explores the multifaceted human dimension of cyber risk management. It draws on recent research and innovative solutions that highlight the psychological impact of cyber incidents and the transformative potential of people-centric risk assessment tools. By integrating mental health considerations with data-driven behavioural insights, organisations can shift from reactive crisis management to proactive resilience-building.

The hidden toll: Mental health impact of cyberattacks

Cyber incidents, particularly ransomware attacks, inflict more than operational disruption — they take a profound psychological toll on the people involved. A study by Northwave Cyber Security reveals the often-overlooked mental health consequences employees experience during and after ransomware incidents.

The research categorises the mental impact into three distinct phases:

  • Immediate aftermath (first week): Employees report acute stress, anxiety, and physical symptoms such as headaches and fatigue. The pressure to restore systems quickly often leads to long working hours and sleep deprivation.
  • Short-term period (first month): Feelings of guilt, frustration, and helplessness emerge, with many employees experiencing sleep disturbances and negative thought patterns.
  • Long-term effects (up to one year): Some individuals develop trauma symptoms, including hypervigilance and emotional exhaustion, which can lead to job dissatisfaction or even career changes.

Notably, the study highlights gender differences, with women reporting more severe symptoms. It also identifies unhealthy coping mechanisms, such as withdrawal or overworking, that can exacerbate mental health issues.

These findings underscore the critical need for organisations to embed mental health support into their cyber incident response plans. The white paper recommends creating a supportive culture that normalises mental health discussions, providing access to counselling services, and implementing structured managerial check-ins to monitor employee well-being throughout the recovery process.

By addressing the human cost of cyber incidents, organisations not only support their workforce but also enhance overall resilience, as mentally healthy employees are better equipped to respond effectively to future threats.

Beyond compliance: Innovative human-centric cyber risk assessment

While mental health support addresses the aftermath of cyber incidents, preventing such events requires a fundamental shift in how organisations assess and manage cyber risk. Traditional approaches often focus on technical controls and compliance checklists, neglecting the complex human behaviours that underpin many cyber vulnerabilities.

Marsh and Mercer have pioneered an innovative solution — the People Cyber-Risk Assessmentthat places the human element at the core of cyber risk management. This initiative was recently nominated for the European Risk Management Award 2025 in the Technology Innovation of the Year category, reflecting its groundbreaking approach.

The solution integrates psychological and cultural diagnostics with data-driven planning, enabling organisations to assess cyber risk at multiple levels:

  • Individual predisposition assessment: This tool profiles employees’ personality traits and behavioural tendencies related to cyber risk, generating personalised reports with tailored recommendations to improve cyber hygiene. These can include, for example, closing the technical gap of employees and lowering social engineering risk.
  • Company culture assessment: Evaluates organisational norms, values, and behaviours that influence cyber risk, identifying cultural strengths and vulnerabilities.
  • Knowledge and skills assessment: Measures employees’ current cyber knowledge and skills to pinpoint gaps and training needs.

By combining these assessments, organisations gain a holistic understanding of their human risk landscape, moving beyond generic training to targeted, effective interventions.

This approach redefines cyber risk management workflows by shifting from reactive, compliance-driven models to proactive, people-centric strategies. It recognises that cyber risk is not just a technical issue but a behavioural and cultural challenge requiring tailored solutions.

Data-driven personalisation: Tailoring education and awareness

One of the most significant limitations of traditional cyber awareness programmes is their “one-size-fits-all” design, which often fails to engage employees or address their specific risk profiles. Mercer People Cyber-Risk Assessment solution overcomes this by leveraging data to customise education and awareness initiatives.

The Individual Predisposition Assessment generates personalised profiles that provide employees with actionable tips tailored to their unique behavioural tendencies. For example, an employee prone to impulsivity might receive guidance on pausing before clicking links, while someone with high conscientiousness might be encouraged to share best practices with peers.

At the organisational level, aggregated data is visualised through dashboards that reveal trends and risk clusters, enabling leaders to prioritise resources and design targeted training programmes. This data-driven approach ensures that interventions are both efficient and impactful, focusing efforts where they are most needed.

Moreover, by integrating company culture and knowledge assessments, organisations can align their cyber risk strategies with broader organisational goals and values, fostering a cohesive and resilient workforce.

Building a supportive cyber culture: Leadership and organisational strategies

Technology and training alone cannot create lasting cyber resilience without a supportive organisational culture. Leadership plays a pivotal role in fostering an environment where employees feel valued, informed, and empowered to act securely.

The study emphasises the importance of managerial support during cyber incidents. Practical steps include:

  • Clear communication: Keeping teams informed about incident status and expectations reduces uncertainty and anxiety.
  • Equitable task distribution: Avoiding overburdening specific individuals prevents burnout.
  • Regular mental health check-ins: Proactively monitoring well-being helps identify and address issues early.

Creating a culture that prioritises mental well-being and continuous learning not only improves security outcomes but also enhances employee engagement and retention. When employees trust that their organisation cares about their health and development, they are more likely to adopt secure behaviours and report potential risks.

Broader implications: Enhancing digital literacy and societal resilience

The benefits of human-centric cyber risk management extend beyond individual organisations. By improving digital literacy and fostering responsible cyber behaviour, these approaches contribute to a safer digital ecosystem for communities and society at large.

Marsh and Mercer have always focused on cyber risk management from a collaborative model that integrates multiple stakeholders — including risk managers, HR, and IT — to create comprehensive strategies that enhance operational resilience. This holistic approach not only reduces the frequency and impact of cyber incidents but also promotes economic stability by mitigating financial losses associated with breaches.

Moreover, by raising awareness and building skills across the workforce, organisations contribute to broader societal goals of digital literacy and trust in technology. As cyber threats continue to evolve, embedding the human element into risk management is essential for building resilient organisations and a secure digital future.

Leveraging employees to reduce cyber risk

The future of cyber risk management lies in embracing the human element holistically — from recognising the mental health impacts of cyber incidents to deploying innovative, data-driven tools that personalise risk assessment and education. Organisations that invest in people-centric solutions and foster supportive cultures will not only reduce vulnerabilities but also empower their workforce to be active defenders in the cyber landscape.

By shifting from reactive responses to proactive strategies that place humans at the centre, businesses can transform cyber risk management into a sustainable competitive advantage and contribute to a safer, more resilient digital world.

Connect with our experts to strengthen your cyber resilience with people-centric solutions.

Contact us

Related insights

Hands using smartphone in city

Article

How can businesses navigate technology risks and opportunities in a competitive age?

21/01/2026
Corporate business team and manager in a meeting

Podcast

Risk in Context Podcast: Getting ahead of 2026’s top risks to build resilience

06/01/2026
Startup business people group at office

Article

Accounting for economic losses following the global tech outage

30/07/2024
Hand touching modern interface digital transformation concept. Connection next generation technology and new era of innovation.

Article

Leveraging the cyber evolution to build risk resilient organisations

17/04/2024
View more