Cybercrime’s Hidden Cost: The Mental Health Impact on Employees and How a Just Culture Limits Harm

• by Anthony Orjally
• Advent IM Blog

Cybercrime doesn’t just drain budgets and stall operations. It also quietly erodes confidence, sleep, and trust, especially for the person who clicked, uploaded, or approved something that later became the pivot point for an incident. In security programmes, we often track mean time to detect and mean time to recover. We rarely track the human half-life of anxiety. That’s a gap in governance.

For organisations in government, defence, and critical national infrastructure (CNI), the stakes are heightened. The fear of reputational damage, regulatory scrutiny, and national-level consequences compounds the pressure on individuals. If we want genuine resilience, we must design for humanity as deliberately as we design for controls.

When “I caused this” becomes the loudest alarm

Breaches frequently stem from ordinary work under ordinary constraints: time pressure, confusing prompts, look-alike domains, awkward processes that encourage workarounds. When an incident traces back to an individual action, many employees experience a sharp mix of shame, fear for their job, and dread about telling anyone. That internalised stress has knock-on effects:

• Cognitive load rises (rumination, sleeplessness), slowing decision-making just when clarity is needed.
• Under-reporting of near misses increases, because people don’t want to be the next cautionary tale.
• Trust in leadership and the security function falls if the response feels punitive or opaque.

In short: blame drives problems underground; psychological safety brings them to the surface where they can be fixed.

What “just culture” really means in cyber

“Just culture” comes from safety-critical industries (aviation, healthcare) and draws a hard line between human error (inevitable and instructive), at-risk behaviour (driven by system pressures, fixable with better design), and reckless misconduct (a rarity, handled through HR/disciplinary routes). In cyber and information governance, a just culture reframes incident response from courtroom drama to clinical learning.

This isn’t “soft” security. It’s a disciplined approach that increases reporting, accelerates learning, and reduces repeat events. For CNI and defence suppliers; where cascading operational impact is a real risk, this is not simply ethical; it’s operationally prudent.

Governance implications (and why boards should care)

Boards, SIROs (Senior Information Risk Owners), IAOs (Information Asset Owners), and CISOs already hold risk and assurance duties. Adding mental-health-aware response isn’t “nice to have”, it’s part of effective governance:

• Regulatory posture: Transparent reporting, fair treatment, and clear lessons learned help demonstrate accountability to regulators and customers.
• Operational continuity: Early escalation limits dwell time and blast radius. People only escalate early if they trust the process.
• Culture as control: A workforce that reports near misses promptly is a live sensor network. That’s a control, not a campaign slogan.
• Standards alignment: A just culture strengthens incident management and continual improvement requirements (e.g., ISO/IEC 27001: incident planning, response, and learning; awareness and training).

Anatomy of a humane, effective incident response

Think of this as a combined playbook for people care and control improvement. Both matter.

1) First 24 hours: stabilise the person and the system

• Provide a named liaison (not just a ticket number). Explain what will happen next and when.
• Offer immediate access to employee assistance or occupational health. Normalise the stress response; don’t pathologise it.
• Contain technically, but avoid interrogative postures. Collect facts with neutral language.

2) The review: blameless, evidence-led, time-boxed

• Ask “What made the right action hard?” before “Who did the wrong thing?”.
• Map contributing factors: interface design, process friction, workload, training gaps, ambiguous policy, supplier behaviours.
• Produce an improvement list with owners and dates. Close the loop publicly (to the degree appropriate).

3) Communications: clarity over spin

• Internally, explain root causes in plain language and share improvements.
• Externally (where required), avoid scapegoating. Stakeholders recognise system issues when they’re explained honestly.

4) Aftercare and reintegration

• Check-ins at defined intervals; don’t leave the individual in limbo.
• Offer skills refreshers or shadowing to rebuild confidence.
• Explicitly recognise early escalation or quick corrective actions.

Near-miss reporting: turning whispers into telemetry

Most incidents are preceded by near misses: almost-clicked links, blocked uploads, suspicious requests. Treat near-miss reporting with the same seriousness as incidents:

• Make it effortless: one-click forms, short prompts, optional anonymity.
• Make it valuable: publish “you said, we did” updates so people see the effect of reporting.
• Make it safe: written reassurance that good-faith reports carry no reprisals, and proof via leadership behaviour.

For CNI operators and government bodies, align this with existing safety reporting practices. You already know how to cultivate reporting in physical safety; extend the muscle memory to information security.

A short case vignette (composite but very common)

A contracts officer in a defence supply chain receives a “supplier” request to re-send a redacted export-controlled document. The email and footer look right. Under deadline pressure, they comply. Hours later, an internal scan flags unusual exfiltration behaviour.

In a punitive culture, the officer hides, legal gets cagey, security chases shadows, and the story leaks anyway. The lesson is fear.

In a just culture, the officer immediately flags suspicion, security contains the risk, and the review finds the workflow that encouraged ad-hoc sharing: unclear SOPs, no easy secure channel, and a template that trained users to trust the wrong signals. Fixes roll out in a week: a secure transfer path in the contract system, a new verification step, and comms that explain why. The lesson is improvement.

Same trigger, radically different outcomes.

Practical policy language you can adopt tomorrow

Keep it short, repeat it often:

We operate a just culture for information security.

Good-faith reporting of incidents and near misses is encouraged and supported. Reviews focus on system improvements, not individual blame. Reckless or malicious behaviour is a separate disciplinary matter. We will provide appropriate wellbeing support to anyone involved in an incident.

Put that in your ISMS manual, induction packs, and incident runbooks. Then live up to it.

Measures that matter (beyond MTTR)

If you can’t measure it, you can’t manage it. Add a few human-centred metrics to your board pack:

• Near-miss volume and time-to-report (should rise and then stabilise as trust grows).
• Percentage of reviews with system-level corrective actions (not just user retraining).
• Employee confidence index for incident handling (short pulse survey after involvement).
• Return-to-confidence time for affected staff (self-reported, anonymised).
• Recognition rate for positive behaviours (early escalation, good catches).

These aren’t vanity metrics; they’re leading indicators of resilience.

Special note for Government, Defence and CNI

• Security clearances and stigma: People may fear clearance implications. Provide clear guidance on when and how incidents intersect with vetting, and emphasise that honest disclosure is protective, not punitive.
• Operational tempo: Shift patterns, surge work, and high-consequence contexts increase fatigue-related error. Bake in micro-breaks and peer checks during known pressure windows.
• Supplier chains: Extend just-culture expectations to third parties. Include near-miss reporting and humane response clauses in contracts and security schedules, and test them in exercises.
• Exercise realism: Run joint exercises that include the human arc; mistake, reaction, support, learning, not just the technical chess game.

Strong governance isn’t measured by the absence of bad news; it’s measured by how quickly truth surfaces and how predictably systems improve. A just culture and the mental-health-aware practices that flow from it, turns employees from potential scapegoats into active sensors and first responders. That shortens dwell time, reduces impact, and protects the organisation’s mission as well as its people.

If your incident plans don’t explicitly state how you protect and support the humans at the centre, they’re incomplete. Make the change, communicate it clearly, measure it rigorously, and prove it through leadership behaviour. That’s how you turn “we care about our people” from a poster into a control.

Written by Ellie Hurst, Commercial Director