According to the Verizon 2025 Data Breach Investigations Report (DBIR), the human element remained involved in breaches at roughly 60 percent, spanning social engineering, errors, and misuse.
The catalyst is not incompetence, but what the World Health Organization (WHO) recognises as an occupational phenomenon: burnout.
The human brain’s “CEO” — the prefrontal cortex — is responsible for the logic and risk assessment needed to spot a phishing attempt. However, this function operates on a finite energy supply.
As social psychologist Roy Baumeister established, willpower is a limited resource that depletes with every micro-decision made throughout the day. This means that by late afternoon, many employees are operating with significantly reduced cognitive capacity, leaving the individual biologically disarmed against sophisticated threats.
When this battery runs low, a dangerous shift occurs. Psychologist Daniel Kahneman explains that the brain conserves energy by shutting down System 2 (slow, analytical logic) and defaulting to System 1 (fast, emotional instinct).
Attackers understand this mechanic. They do not need to outsmart a fresh, alert employee; they simply wait for the exhausted, reactive “autopilot” to take over. A phishing email sent at 5:00 PM does not challenge logic; it exploits reflex.
This biological vulnerability is amplified by our circadian rhythms. As cortisol (the hormone associated with alertness) naturally drops in the afternoon, our defensive capabilities decline. However, for an employee suffering from burnout, this is not just a temporary dip; it is a near-total loss of cognitive reserve.
While a healthy brain retains some capacity to stay alert under pressure, burnout is defined by the depletion of these reserves. Without this biological “cushion”, the employee reaches zero visibility, unable to distinguish a threat from a routine task.
Security data reflects this pattern. The highest volume of successful attacks occurs during the “danger zone” between 2:00 PM and 6:00 PM. In the report The Psychology of Human Error (Tessian & Hancock, 2022), over half of employees (51%) said they make mistakes
at work when tired. This helps explain the “Friday Afternoon Fraud”, where targeted campaigns are deliberately timed to coincide with the lowest point of biological vigilance.
For organisations looking to reduce human-driven risk, the next step is to design a culture around how people actually function under pressure.
Biology creates vulnerability, but corporate culture often determines the outcome. In environments where mistakes are punished or shamed, employees are more likely to hide incidents, giving attackers valuable time to escalate damage.
The alternative is a deliberate shift from a culture of blame to a culture of reporting. To make this work under real-world pressure, organisations need behavioural tools that acknowledge human limits:
- The Method: Inhale for 4 seconds, hold for 4, exhale for 4, hold for 4.
- The Effect: This rhythmic pattern interrupts the fight-or-flight response (System 1) and helps re-engage analytical thinking (System 2).
- Stop: Pause and remove your hand from the mouse.
- Take a breath: Deeply inhale to oxygenate the brain.
- Observe: Notice the physical sensation of urgency. Is the message demanding speed or secrecy?
- Proceed: Act only once the emotional spike has passed.
We are humans operating within biological limits. Recognising that the brain has a “battery life” is not an excuse for failure, it is a requirement for better security design.
By acknowledging that vigilance cannot be sustained indefinitely, organisations can move beyond blame and towards a culture of resilience. Ultimately, the strongest firewall is not software alone, but a workforce that feels safe enough to report mistakes early and feels supported enough to ask for help and guidance.
Cycubix works with organisations to embed this reality into security governance, risk management, and operational controls. Contact us to see how we can help you empower your workforce, improve time-to-report, and build a resilient culture under pressure.
References
