Author
Andrew Wright, Gyuchan Thomas Jun Abstract
The human and organisational factors contributing to information security are still poorly understood, primarily due to a lack of research and absence of suitable techniques to assess complex digital systems. This paper presents the application of the System-Theoretic Accident Models and Process (STAMP) technique to the 2013/2014 Target Corporation data breach. The aims of the study are to investigate the causal factors using a systemic approach, and to demonstrate the benefits of the technique to information security applications. A number of critical control flaws were identified through the STAMP analysis include: i) poor external and internal communication/co-ordination of new threats and vulnerabilities; ii) inadequate learning from past events, internally and externally; iii) a lack of proactive security management to understand and learn from system successes and good practices as well as system failures; iv) ineffective management and co-ordination with the supply chain.

Author
Richard Farry Abstract
Organisations can unintentionally create friction, dysfunction, and harm through the design of their structures, processes, and information flows. This paper introduces Adversarial Design Thinking, a parallel‑design method that applies a malicious‑insider mindset to organisational architecture to reveal these hidden vulnerabilities. A Red Team is tasked to design solutions that meet stated goals while maximising plausible, undetected organisational harm, while a Blue Team designs conventionally. Comparing their outputs surfaces latent risks, structural weaknesses, and unintended consequences that human‑centred approaches—often assuming good intent—may overlook. The paper presents the GHOST and Harm frameworks to support identification of adversarial design patterns, showing how organisational features can hide harm, degrade recovery, and allow dysfunction to accumulate. This lens strengthens organisational resilience and design quality.

Author
Eylem Thron & Shamal Faily Abstract
Automation improves rail passenger experience but may reduce cyber resilience because it fails to adequately account for human factors. Preliminary results from a study on signallers and automation confirms this, but judicious use of modelling tools may ensure design for automation considers this.

Author
Elzbieta Titis, Andrew Burd Abstract
This study builds on our prior research identifying key barriers to cyber security engagement, such as techno-invasion stress, demographic disparities in training uptake, and frustration with rigid protocols. Through a mixed-methods approach, it proposes targeted, human-centred initiatives with micro actions to improve engagement, reduce stress, and promote shared responsibility across age and gender groups in a mid-sized UK organisation, moving beyond purely technical considerations. We outline these initiatives and reflect on their long-term impact. The study recommends that organisations leverage these insights as a model of good practice and, along with other available data, use them to refine and strengthen their cyber security strategies.

Author
Rob HUTTON, Hannah BLACKFORD, Kevin BENNETT, Nigel JONES, and Ade FISHER Abstract
Military commanders are increasingly required to understand more than just the physical terrain. Understanding activities in cyberspace and their impact on operations presents a number of challenges for military personnel, tech-savvy or not. This paper presents a cognitive systems engineering approach to providing visualization solutions to support commander decision making. An Ecological Interface Design (EID) approach was used. Challenges for supporting cyber situational awareness are described.

Author
Eylem Thron, Duncan Ki-Aries, Huseyin Dogan, Martin Freer, Shamal Faily Abstract
Cyber-attacks increasingly threaten critical infrastructure, where interactions between security, safety, and human-system behaviour create complex socio-technical risks. If not managed early, these interactions can produce latent vulnerabilities and unsafe operational states. This paper presents a Minimum Viable Product (MVP), developed by Bournemouth University and Mima and funded by the Defence Science and Technology Laboratory (Dstl), to operationalise Secure-by-Design through integrated Human Factors (HF), safety, and cybersecurity analysis. The MVP combines System-Theoretic Process Analysis (STPA) with Hierarchical Task Analysis (HTA), Cognitive Task Analysis (CTA), Performance Shaping Factors (PSFs), and Human Attributes analysis to generate a structured and traceable User Requirements Document (URD) from a Defence specification exemplar. Results demonstrate that integrating HF, safety, and cybersecurity during early capability definition enables identification of cross-domain risks and supports derivation of coherent, traceable Secure-by-Design requirements for cyber-physical systems.

Author
Stephen AMBORE, Edward APEH, Huseyin DOGAN, Christopher RICHARDSON, and David OSSELTON Abstract
Cybercrime is slowing down the adoption of Mobile Financial Service (MFS). Despite the existence of a strong technical infrastructure base for security and the benefits inherent in MFS, adoption has been slow. Highly resilient countermeasures for cybersecurity go beyond just providing technological controls to put in place measures to cater for the human element. This paper presents the findings of an analysis of the human factors issues in complex MFS Socio-Technical System (STS) and the objectives for mitigating these.

Author
Murray SINCLAIR, Paul PALMER and Carys SIEMIENIUCH Abstract
The paper reports some of the findings for the H2020 project, Road2CPS. This project was intended to provide advice to the European Commission, based on the outputs of 54 FP7 and H2020 projects plus 18 ARTEMIS and ECSEL industry-based project consortia, all in the area of Cyber-Physical Systems. One of the goals of this project was to identify gaps in the knowledge and applications coverage of CPS and provide recommendations regarding these. The paper reports briefly on the methodology that was used, and the ‘key messages’ arising from the analysis that are relevant to CIEHF academics and pracitioners.

Author
Linn Iren Vestly Bergh, Kristian Solheim Teigen & Fredrik Dørum Abstract
The petroleum industry is becoming increasingly dependent on digital systems, and the companies have ambitious plans for increased use of digital technology – along the entire value chain. Increased levels of digitalisation present major opportunities for efficiency in the oil and gas industry and can also contribute to enhanced levels of resilience to major accident hazards. At the same time, new risks and uncertainties may be introduced. Based on developments in the industry and society in general, the Norwegian Petroleum Safety Authority (PSA) has in recent years pursued targeted knowledge development related to digitalisation and industrial cyber security. The PSA’s follow-up activities related to digitalisation initiatives in the industry have been based on input and experience from several knowledge development projects. In this paper we will give insight into the main regulatory strategies we have used to follow-up initiatives in the industry, present results from audits on automated drilling operations and discuss the results from the follow-up activities in light of current regulatory development.

Author
Murray SINCLAIR, Carys SIEMIENIUCH and Michael HENSHAW Abstract
Whether or not manufacturing moves whole-heartedly to the paradigm of Cyber-Physical Systems of Systems as indicated first in the ‘Industrie 4.0’ programme in the FRG, there is little doubt that manufacturing will become software-dominated by 2025. This will have significant implications for ergonomists involved in manufacturing: for the nature of roles and jobs, for the design of workspaces and workplaces, and for the design of the interactions between humans and automation. The paper explores some of these implications.