TITLE:
Assessing Human-Induced Cybersecurity Risk Using a Human Vulnerabilities Exposure Index (CSHVEI)
AUTHORS:
Alex Kibet
KEYWORDS:
Human Factors, MFIs, Cyber-Security, Attack Surface, Exposure Index, Framework, Model
JOURNAL NAME:
Open Journal of Applied Sciences,
Vol.16 No.2,
February
27,
2026
ABSTRACT: Cybersecurity resilience is widely understood to rest on the integration of people, processes, and technology. However, existing cybersecurity research and practice have largely prioritized technological controls and procedural safeguards, often underestimating the human factor, which consistently represents the most exploited point of attack. This study addresses this gap by developing a comprehensive and quantifiable model for assessing human-induced cybersecurity risks. The paper introduces the Cybersecurity Human Vulnerabilities Exposure Index (CSHVEI), a novel framework designed to measure and operationalize human-related cyber exposure within Microfinance Institutions (MFIs) in Nairobi County, Kenya. Building on a critical review of existing cybersecurity exposure models and standards, including ISO/IEC 27001 and the NIST Cybersecurity Framework, the study identifies key limitations in capturing human-centric vulnerabilities. To address these shortcomings, the CSHVEI categorizes human-induced risks into three core domains: human error, ignorance, and negligence. Using a mixed-methods approach, the study integrates an integrative literature review with empirical survey data to derive, validate, and weight the index components. Statistical analyses confirm the significant contribution of all three vulnerability domains to overall cybersecurity exposure, with negligence emerging as the strongest predictor. The model is further operationalized through a prototype system that demonstrates practical application, enabling organizations to compute exposure scores, visualize risk levels, and generate targeted mitigation recommendations. The findings demonstrate that human behavior is a dominant determinant of cybersecurity exposure in MFIs, often overriding the presence of technical controls. By translating human vulnerabilities into measurable exposure metrics, the CSHVEI provides organizations and policymakers with an evidence-based tool to assess, compare, and manage human-centric cybersecurity risks, thereby strengthening organizational resilience and informed decision-making.