Shared Security, Shared Consequences: My Iceberg Model of Cybersecurity
A somewhat long read on "Why Cybersecurity Fails Without You!"
On my bucket list is to someday visit Antartica and witness the breathtaking aurora australis in all of its glory. The journey to get there isn’t exactly straightforward - it involves flying for hours and then boarding a ship that glides across the quite frigid North Atlantic Ocean. The air is thin, almost biting, and the horizon stretches endlessly, an interesting contrast between the dark sea and the icy giants floating upon it.
Imagine, even if just for a second that you are me, standing on the deck of that ship, surrounded by the overwhelmingly impressive landscape of massive icebergs, their jagged peaks gleaming under the moonlight. The sheer size of these floating ice-monsters is awe-inspiring, but what counts as truly striking is what lies beneath the surface. What you see above water is only a fraction of their true form - the majority of the iceberg, sometimes up to 95%, is submerged, hidden from view but forming the foundation of the entire structure.
Much like these icebergs, security in the digital world is largely invisible. Beneath the surface and out of the picture, companies invest billions in encryption, network defenses, more technical controls and compliance frameworks, constantly reinforcing their systems against cyber threats. But what about the part above the water? The way I like to describe it, the visible tip of the iceberg represents the user’s role in security - a small, yet crucial element that can determine the integrity of the entire structure, whether it remains stable or topples into disaster. Just as an iceberg can become dangerously unstable if its balance shifts, cybersecurity can collapse when users actively or ignorantly neglect their role in the shared responsibility model.
The misconception that security is solely the responsibility of companies has led to widespread complacency. Users often assume that if something goes wrong - an account gets hacked, a leaked password, missing funds - it’s the fault of the provider. However, cybersecurity is not something that can be seen as a passive benefit; it’s a dynamic, shared duty. If users fail to engage with even the most basic security features, the strongest systems can still fail. To understand this balance, I'd like us to take a deeper dive beneath the surface (pardon my terrible puns) and into the iceberg analogy - exploring both the ridiculously immense work companies put into security and the critical yet often neglected role of the user.
Much like the submerged portion of an iceberg, companies’ security efforts often go unnoticed by users. Organizations continuously work to build, maintain, and enhance security controls/mechanisms to ultimately, prevent attacks and protect data. I like to describe these efforts across the multiple domains they span across:
Encryption and Data Protection: Organizations typically implement encryption at rest and in transit, ensuring that data remains secure even if intercepted.
Authentication and Identity Management: Modern security frameworks nowadays employ multi-factor authentication (MFA), passkeys, and biometric verification. Companies invest in zero-trust models, ensuring that identity verification is continuous rather than a one-time process. A notable example is the 2014 iCloud breach that highlighted how a lack of two-factor authentication (2FA) allowed attackers to exploit leaked credentials. In response, Apple strengthened its encryption and authentication mechanisms.
Infrastructure Security: From cloud security controls to network segmentation, organizations deploy extensive safeguards to prevent unauthorised access and mitigate insider threats. Some of these controls/safeguards include Virtual Private Networks (VPN), security groups, access control lists, network firewalls, and a host of other network security appliances.
Continuous Monitoring and Threat Detection: Security teams use threat intelligence, intrusion detection systems, and behavior analytics to identify and respond to suspicious activity.
Compliance and Policy Enforcement: Regulatory standards such as GDPR, HIPAA, ISO27001 and PCI-DSS impose security obligations on companies. Organizations implement security policies, conduct audits, and enforce governance frameworks to ensure compliance. This doesn't necessarily mean that compliance equates security, rather it shows how compliance sets up the baseline for a mature security program.
Despite these extensive efforts, security breaches still occur - sometimes due to user-related vulnerabilities. This brings us to the visible portion of the iceberg. The approximately 5% of the iceberg that is visible above water represents the security practices that users must adopt. Even the strongest security infrastructure can be undermined by weak user behavior. The iceberg analogy becomes even more fitting when we consider what happens when the visible 5% - user responsibility - is neglected. Icebergs can flip when their balance is disturbed, just as security can collapse when users fail to engage with protections.
Case Study: The 2020 Twitter hack, where attackers used social engineering to gain access to major celebrities, influencer accounts and later on, internal tools, showed how human error can bypass even robust security frameworks. Similarly, the Colonial Pipeline ransomware attack demonstrated how a weak password with no MFA led to a critical infrastructure shutdown. In both cases, small oversights by individuals had massive security implications.
But why do users repeatedly neglect these responsibilities, even when the risks are clear?
It is commonplace to hear some security professionals in the industry say "Humans will forever be the weakest link in security" and while it is easy to understand the perspective behind this statement - typically focused on negligence and ignorance - the real issue isn’t just a lack of awareness. These security lapses often stem not from ignorance but from fundamental aspects of human nature - such as cognitive biases, habits, and convenience-driven decision-making. Studies on behavioural economics and human psychology show that:
The Optimism Bias: People tend to believe that they are less likely to be hacked than others. They believe cyber threats happen to “other” people - big corporations, celebrities, or careless individuals - but not to them. This false sense of security leads to complacency and discourages proactive behavior.
The Present Bias accounts for how people prioritise short-term convenience over long-term security. Remembering and typing a complex password feels like an unnecessary hassle compared to the immediate ease of reusing an old one. This bias explains why people delay enabling MFA or ignore security warnings.
Users are mostly burdened with an overload of digital responsibilities that leads to a case of decision fatigue and as such, it becomes easier to ignore security warnings or postpone software updates. When constantly bombarded with choices, people often opt for the easiest, least effort-intensive option - even if it’s insecure.
This perfectly aligns with the concept of bounded rationality (Herbert Simon, 1957), which argues that human decision-making is limited by cognitive constraints, leading to suboptimal choices. Instead of meticulously evaluating security risks, they choose what seems "good enough," even if it’s unsafe. Additionally, in some very interesting way, prospect theory (Kahneman & Tversky, 1979) explains how users miscalculate risk, underestimating threats until they experience consequences firsthand. People tend to underestimate threats until they become the victims of these threats. This explains why many only start caring about security after a breach occurs rather than preventing it in the first place.
We can say security is not just about knowing what the risks are - it’s about changing habits. Becoming a security-conscious user requires small, consistent changes that become second nature over time. Here’s a step-by-step approach to transforming security habits:
Adopt a Security-First Mindset
Recognise that you are a target. Security is not just for large companies—it’s for everyone.
Think about security proactively. Instead of reacting after a breach, anticipate risks and act before they happen.
Enable Multi-Factor Authentication (MFA) on Every Account
MFA prevents 99.9% of automated attacks (source).
Use hardware security keys or app-based authentication instead of SMS-based MFA for better protection. A case study: in 2023, Cloudflare recorded an attempted security attack via phishing. The company had just rolled out phishing resistant hardware MFA tokens. That was what saved them from being breached.
Also use passkeys wherever they are available.
Use a Password Manager and Stop Reusing Passwords
Reused passwords account for a significant percentage of credential-stuffing attacks.
A password manager generates and stores long, complex passwords automatically. Just pick and use a password manager that generates long and secure passwords for you. The infamous “RockYou2021” data leak contained over 8.4 billion passwords, and an analysis of the passwords in this leak showed a recurring pattern of people reusing weak passwords.
Recognise and Avoid Phishing Attempts
This point cannot be emphasised enough - phishing remains one of the most effective attack vectors, and recognising its signs is crucial.
Never click links in emails or messages from unknown senders.
Always verify the URL before entering your credentials.
Phishing-resistant hardware tokens add an extra layer of defence.
Update Software and Devices Regularly
Enable automatic updates for your OS, apps, and browser. Unpatched vulnerabilities are a leading cause of cyber attacks.
Limit Data Exposure Online
Minimise personal details on social media.
Use privacy-focused search engines and browsers.
Be mindful of apps requesting excessive permissions.
After all of these has been said, here's the real challenge: we cannot expect users to suddenly become security experts. Instead, security must be designed to work with human behavior, not against it. And this is where Nudge Theory (Thaler & Sunstein, 2008) becomes essential. Rather than relying solely on education, systems should be designed to make secure choices the default. Research shows that:
Auto-enabling MFA during account creation increases adoption rates by over 70% compared to optional MFA.
Password managers with built-in autofill significantly reduce the cognitive burden of remembering strong passwords.
Browsers that block malicious sites by default prevent phishing before users even recognise a threat.
And instead of viewing users as the weakest link, they should be recognised as the most critical link in security. The key to a zero trust environment isn't just more tech - it’s about designing security mechanisms and controls that work effortlessly with human behavior. When security is seamless and intuitive, adoption becomes the default, not the exception. That is when the iceberg stands strong.
And once again, however you look at it, the shared responsibility model highlights that security is not a one-sided effort. Just as the stability of an iceberg depends on both its submerged and visible portions, cybersecurity requires cooperation between companies and users. Organizations must continue fortifying security measures and designing more with human psychology in mind, while users must take proactive steps to protect themselves. When both parties fulfil their roles, the digital ecosystem becomes significantly more secure.
The security of a chain is in the strength of its 'supposed' weakest link. Companies and users alike must recognise that security is a shared burden - one that requires action, not just awareness.
Great article! I love the emphasis around the role of users in security.
Wonderful article, thank you. Some cybersecurity experts believe auto-fill can lead to vulnerabilities, in the article, you mentioned password manager with autofill to reduce cognitive overload. Can auto-fill for both browsers and/or password managers lead vulnerabilities?.