Security controls often fail not because they are absent or technically flawed, but because they collide with human behavior under real operational pressure. History offers a clear warning; during the 1916 Battle of Jutland, the British battlecruiser HMS Invincible was destroyed when safety controls designed to prevent catastrophic explosions were deliberately bypassed to increase the rate of fire. Those decisions were not reckless; they were made by disciplined professionals under leadership pressure to move faster and win. The result was catastrophic.
This talk uses Invincible as a case study in human‑centered control failure and applies its lessons directly to modern cybersecurity. The problem is familiar: when security controls introduce friction that slows mission success, motivated and well‑intentioned people find ways around them. Domain administrator overuse, shared service accounts, skipped reviews, and insecure workarounds are not anomalies—they are predictable outcomes of misaligned incentives and poorly designed controls.
The approach of this session is comparative and behavioral rather than technical. By examining historical post‑incident analysis alongside contemporary enterprise security practices, it demonstrates consistent patterns in how speed, incentives, and leadership priorities shape behavior. The key finding is that strengthening security does not come from more controls, but from controls designed to align with real workflows, cognitive load, and operational urgency.
This session argues that human behavior is not the weakest link—but the design constraint we most often ignore. For defenders and leaders alike, the significance is clear: security controls must be engineered for how people actually work, or they will fail precisely when they matter most.