兰德-超越技术层面-结合人为因素评估网络风险（英）

WENJING HUANG, SASHA ROMANOSKY, JOE UCHILLBeyond TechnicalitiesAssessing Cyber Risk by Incorporating Human FactorsResearch ReportFor more information on this publication, visit www.rand.org/t/RRA3841-1.About RANDRAND is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. To learn more about RAND, visit www.rand.org.Research IntegrityOur mission to help improve policy and decisionmaking through research and analysis is enabled through our core values of quality and objectivity and our unwavering commitment to the highest level of integrity and ethical behavior. To help ensure our research and analysis are rigorous, objective, and nonpartisan, we subject our research publications to a robust and exacting quality-assurance process; avoid both the appearance and reality of financial and other conflicts of interest through staff training, project screening, and a policy of mandatory disclosure; and pursue transparency in our research engagements through our commitment to the open publication of our research findings and recommendations, disclosure of the source of funding of published research, and policies to ensure intellectual independence. For more information, visit www.rand.org/about/research-integrity.RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors.Published by the RAND Corporation, Santa Monica, Calif.© 2025 RAND Corporation is a registered trademark.Limited Print and Electronic Distribution RightsThis publication and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to its webpage on rand.org is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research products for commercial purposes. For information on reprint and reuse permissions, visit www.rand.org/about/publishing/permissions.RR-A3841-1This publication has completed RAND’s research quality-assurance process but was not professionally copyedited. iii About This Report The increasing reliance on technology and human interactions with cybersecurity systems is heightening the challenge for organizations to manage their cyber risks effectively. While many firms focus heavily on technical factors such as network configurations, software patching, and security controls, the growing body of evidence underscores the critical role of human factors in shaping cybersecurity outcomes. At the same time, the interconnected nature of modern workplaces and external threats amplifies the complexity of mitigating risks tied to human behaviors and organizational culture. Together, these factors represent a significant opportunity to improve how firms as