Computer and Information Security (CIS) is usually approached adopting a technology-centric viewpoint, where the human components of sociotechnical systems are generally considered as their weakest part, with little consideration for the end users’ cognitive characteristics, needs and motivations. This paper presents a holistic/Human Factors (HF) approach, where the individual, organisational and technological factors are investigated in pilot healthcare organisations to show how HF vulnerabilities may impact on cybersecurity risks. An overview of current challenges in relation to cybersecurity is first provided, followed by the presentation of an integrated top–down and bottom–up methodology using qualitative and quantitative research methods to assess the level of maturity of the pilot organisations with respect to their capability to face and tackle cyber threats and attacks. This approach adopts a user-centred perspective, involving both the organisations’ management and employees, The results show that a better cyber-security culture does not always correspond with more rule compliant behaviour. In addition, conflicts among cybersecurity rules and procedures may trigger human vulnerabilities. In conclusion, the integration of traditional technical solutions with guidelines to enhance CIS systems by leveraging HF in cybersecurity may lead to the adoption of non-technical countermeasures (such as user awareness) for a comprehensive and holistic way to manage cyber security in organisations.

计算机和信息安全 (CIS) 通常采用以技术为中心的观点，其中社会技术系统的人为因素通常被认为是最薄弱的部分，很少考虑最终用户的认知特征、需求和动机。本文提出了一种整体/人为因素 (HF) 方法，其中在试点医疗保健组织中调查个人、组织和技术因素，以显示 HF 漏洞如何影响网络安全风险。首先概述了当前与网络安全有关的挑战，随后介绍了一种自上而下和自下而上的综合方法，使用定性和定量研究方法来评估试点组织在面对和应对网​​络威胁和攻击的能力方面的成熟度。这种方法采用以用户为中心的观点，涉及组织的管理层和员工。结果表明，更好的网络安全文化并不总是与更符合规则的行为相对应。此外，网络安全规则和程序之间的冲突可能会引发人为漏洞。综上所述，