CC BY-SA 4.0Arunkumar, MrudulaMrudulaArunkumarSchunck, Christian HeinrichChristian HeinrichSchunckBen Mamia, SalmaSalmaBen MamiaRoßnagel, HeikoHeikoRoßnagel2025-06-102025-06-102025https://doi.org/10.24406/publica-4744https://publica.fraunhofer.de/handle/publica/48842610.18420/OID2025_1110.24406/publica-4744Human error and insufficient security awareness remain the largest cyber-risk factors for organizations. Despite the prevalence of security training, employees often fail to translate knowledge into secure behavior leading to a gap between security awareness and secure behaviour. Hence, the integration of human factors beyond awareness in cybersecurity is crucial wherein the focus lies on steering the actions executed by people rather than the technical protection offered by the security systems. Donald A. Norman’s The Design of Everyday Things is one of the pioneering books that introduces how intended actions can be achieved through a user centric product design. Consequently, it provides a lens to rethink the various security policy designs that are developed to enforce cybersecurity. This short paper therefore proposes a new framework involving design thinking principles to help design better security policies with a human factor focus.enHuman FactorsDesign thinkingCybersecurityHuman BehaviourSecurity Policyconference paper