In their comprehensive book Network Security: Private Communication in a Public World, Kaufmann, Perlman, and Speciner wryly observed:
“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations… It is astonishing that these devices [humans] continue to be manufactured and deployed.”
We can smile at the irony, but the reality stands: attackers take advantage of such human tendencies and tailor their strategies accordingly.
The recent CyberArk 2024 Employee Risk Survey revealed that employees remain a prime target for attackers. This aligns with the longstanding consensus in security research that the “weakest link” isn’t the technology—it’s the people using it. This shouldn’t come as a surprise, as public-interest technologist Bruce Schneier famously noted,
“Only amateurs attack machines; professionals target people.”
The CyberArk data highlights not only credential mismanagement, but also risky workarounds, weak access control, and “authentication fatigue” that result from traditional security measures that add friction. Users need to get work done, and they will bypass hurdles, delay software updates and ignore system prompts if those controls feel like speed bumps rather than guardrails.
The CyberArk survey is a reminder of the urgent need for adaptive, context-aware mechanisms. Solutions need to blend zero-trust principles with practical usability, so that they can continuously validate user, device, and request context while remaining nearly invisible to the end user. The goal is to make secure choices feel natural, not burdensome—something for which user experience experts have long advocated. As researchers noted, we need systems where “good use is easier than bad use,” and where safety and security controls fit cognitive patterns rather than fighting them.
Where Pomerium Fits In
Pomerium was founded upon these fundamental lessons. Pomerium shifts authorization from an “authenticate once, trust indefinitely” model to per-request evaluation, incorporating context about each request—user identity, device posture, and security signals—in real-time rather than relying on static assumptions. Instead of forcing employees into impossible memorization feats or clunky client installations, Pomerium’s clientless, zero-trust approach streamlines the path to secure workflows. Each request stands or falls on its own merits, minimizing risk without adding unnecessary friction.
These improvements map directly to the survey’s top concerns:
Employee Risk Behavior | What’s Happening | How Pomerium Solves the Security Challenge |
|---|
High-Risk Device Access | 80% access work apps on personal devices do not have sufficient controls. | Enforces device-aware policies and verifies posture each time. Continuously authenticates, no matter which device is in play. |
Credential Misuse | Nearly 50% of employees reuse credentials or blend personal and work accounts. | Integrates with your identity sources for context-based policies. Reduces password sprawl by making strong, single sign-on workflows intuitive. |
Policy Workarounds | 65% bypass security measures when they disrupt productivity. | Makes access verification frictionless. Adopts adaptive, per-request checks that feel invisible to compliant users while thwarting unauthorized attempts. |
Unauthorized Sharing | Over 50% of employees share confidential info outside company walls. | Applies per-request authorization to ensure only the right person sees the right data at the right time—every time. |
Authentication Fatigue | Repeated MFA prompts lead to “alert fatigue” and mindless approvals. | Minimizes cognitive overhead. Lets continuous, contextual authorization reduce unnecessary interruptions and keep the user’s attention where it belongs: on their work. |
In short, Pomerium’s model channels what leading security psychologists and human-computer interaction researchers have urged for decades: design systems that recognize human cognitive limits and social vulnerabilities. With a zero-trust, continuously adaptive approach, we shift from intrusive pop-ups and friction to seamless, context-driven checks that respect the user’s time and attention. And, with Pomerium, we’ve designed a solution that promotes security best practices while also being user friendly.
