Rethinking the Human–Technical Split in Cybersecurity

Abstract

This paper re-examines one of the most enduring assumptions in cybersecurity and information systems: the split between the human and the technical. For decades, research and professional practice have portrayed the human as an unpredictable source of error—“the weakest link”—in contrast to the supposedly rational and controllable domain of technology. While this separation appears practical, it stems from a deeper lineage of Western thought that positions humans and nonhumans as fundamentally separate spheres. Drawing on thinkers such as Michel Foucault and Bruno Latour, this paper traces how this conceptual division has become embedded in security discourse, from early information systems design to contemporary frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework. These standards institutionalize the split through parallel categories for “technical controls” and “human factors,” shaping how security responsibilities are assigned and how failures are understood. The paper then explores what happens when this separation is challenged. Using examples such as intrusion detection systems and Trojan attacks, it shows that social and technical elements are inseparably mixed: anomalies, mimicry, and deception all rely on both code and conduct. Security decisions—from asset valuation to risk analysis—likewise emerge from socio-technical negotiations between what is desired and what is possible. To move beyond the limitations of this dichotomy, the paper introduces two frameworks that enact symmetry between human and technological agency. Conceptually, Actor–Network Theory treats both humans and artefacts as actors whose agency lies in their effects on others. Practically, Zero Trust security architectures operationalize the same symmetry by applying continuous verification equally to users and devices. Taken together, these perspectives suggest that cybersecurity should not be understood as two interacting domains but as a blended field of heterogeneous actors whose relations continually produce security. Recognizing this mixture does not dissolve the technical or the human but allows researchers and practitioners to see more clearly how each side folds into the other, reshaping what security can mean in practice.