People Security, Pillar 01
A penetration test tells you what an attacker can do. A human factors security assessment tells you why your team would let them. We measure security culture, decision-making under pressure, and behavioural vulnerability, the inputs that determine whether your technical controls actually hold.
Every security audit of a Web3 organisation examines code, infrastructure, and access controls. Almost none of them examine the humans operating those systems: how they make decisions, what pressures they respond to, where their security instincts break down, and how that translates into real organisational risk.
Human factors security assessment fills that gap. Drawing on behavioural security research and operational experience across Web3 incident response, we evaluate the human layer of your security architecture with the same rigour applied to the technical layer. The output is a security review that tells you not just what your vulnerabilities are, but why they exist and what it will actually take to change them.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
Why This Matters
“The World Economic Forum estimates that 95% of cybersecurity breaches involve human error. In Web3, where a single human decision can authorise the movement of hundreds of millions of dollars, understanding the behavioural layer is not optional, it is the most important security assessment you can run.”
The Bybit Blind Spot
“A standard cyber security audit will confirm that Bybit’s multi-sig required three approvals. It would not find that all three signers were shown a manipulated Safe interface that displayed a legitimate-looking transaction while the underlying calldata was a contract upgrade transferring control of the cold wallet to the attacker. The Bybit signers did not fail to verify, they verified what they were shown. The failure was in the interface they trusted and the culture that normalised approving transactions without independent calldata verification.”
Technical security assessment services tell you whether the doors are locked. Human factors assessments tell you whether your team would open them anyway. Both are necessary. Only one is routinely skipped.
The Four Dimensions
Human risk in security is not random. It follows predictable patterns rooted in psychology, organisational culture, and incentive structures. We measure the four dimensions that drive it.
The shared beliefs, norms, and priorities that shape how your team approaches security day-to-day. Culture determines whether security policies are followed or quietly worked around.
The psychological triggers, urgency, authority, familiarity, reciprocity, that make people bypass their own security instincts. Understanding these explains why intelligent people make dangerous decisions.
Who has access to what, whether that access is proportionate to their role and trustworthiness, and whether the organisational structure creates unnecessary single points of human failure.
Observable patterns that indicate elevated insider threat risk or security culture breakdown: unusual access patterns, policy non-compliance, unexplained behaviour changes, and communication anomalies.
