Boosting Public Sector Cyber Resilience: Why the Human Element Matters

When we talk about cyber resilience, it’s easy to focus on the technical side — firewalls, AI-driven threat detection, and sophisticated technical systems. These tools are critical, of course, but technology alone isn’t enough. Cyber resilience heavily relies on people: their awareness, their behaviors, and the culture within which they operate -  from the culture of the organisation they work in to the wider culture of their society. The public sector has a unique role to play: not only in shaping the culture within their own organisations, but also in influencing and modeling secure practices that ripple out into society as a whole. 

The Challenge Facing Ireland’s Public Sector 

Public sector organisations are under unique pressure. They are high-value targets, yet often operate with limited budgets, legacy systems, and stretched resources. At the same time, citizens rely on their services every day, meaning a successful cyber-attack can disrupt healthcare (as we have experienced before), education, local services, and trust in government. 

The recent rise in ransomware and phishing campaigns targeting public sector bodies is a reminder: it’s not a matter of if but when an incident occurs. This makes resilience — the ability not just to prevent, but to respond and recover swiftly — absolutely essential. 

Beyond Technology: The Human Factor 

Structured incident responses, funding, AI, and cyber talent shortages are hot topics in cyber security. But one thread connects them all: the human element. 

• Incident response relies on people making good decisions under pressure. Preparedness means not just having a playbook, but ensuring staff are trained, confident, and know their role when a crisis hits. 
• Funding strategies often prioritize technology, but resilience is equally about investing in people: leadership buy-in, ongoing training, and building cross-functional awareness. 
• Addressing the talent shortage goes hand-in-hand with creating cultures where existing employees feel valued, supported, and motivated to grow. Retention is just as important as recruitment. 
• Upskilling efforts are only effective if organizations create a learning culture — one that normalizes continuous development, feedback, and shared responsibility for cyber security. 

Without embedding these human dimensions, the most advanced technologies risk being underused, misunderstood, or even bypassed. 

Building a Culture of Cyber Resilience 

So, how do we strengthen the human side of cyber resilience in Ireland’s public sector? A few key approaches stand out: 

1. Embed security into everyday culture. Cyber security should not feel like a separate IT issue. By integrating it into daily routines, meetings, and decision-making processes, staff begin to see it as part of their role, not a compliance checkbox. 
2. Focus on awareness and behavior. Awareness campaigns alone don’t drive resilience. We need programs that encourage secure behaviors — reporting suspicious emails, practicing good password hygiene, safeguarding data — and reinforce them until they become second nature. 
3. Empower leaders as role models. Senior leaders in the public sector set the tone. If they visibly prioritize cyber security, it signals to employees that this is a collective responsibility, not just a technical concern. 
4. Strengthen collaboration. Cyber resilience is not built in isolation. Public sector bodies can share lessons learned from incidents, pool resources, and coordinate training efforts to improve response across the board. 
5. Measure and evolve. Resilience is dynamic. Collecting metrics on behavior, incident response performance, and cultural perceptions of security can guide where to focus efforts and demonstrate progress over time. 

Why This Matters 

Cyber security in the public sector isn’t just about protecting data — it’s about protecting citizens. When services are disrupted by an attack, it affects healthcare appointments, social welfare payments, and access to education. Resilience is therefore a matter of public trust. 

By investing not only in technology but also in people and culture, Ireland’s public sector can build a stronger, more adaptive foundation for the future. 

As we explore these themes in the panel, I hope to bring the human perspective to the forefront: reminding us that resilience is not only a technical capability but also a mindset and a culture. Because in the end, cyber security is about people — the people we serve, and the people who protect them. 

Dr. Louise O’Hagan will speak at Holyrood's Public Sector Cyber Security Republic of Ireland 2025 in September