Introduction

Despite increasing digital risks, existing policies fail to adequately protect internet users. Digital divide policy—encompassing policy and strategies aimed at reducing digital inequalities—often focuses on access, yet fails to address the real cybersecurity risks that users face online. Cybersecurity policy has understandably centered on technical defenses and expert-driven solutions. These two domains are tackling different dimensions of the same underlying problem: vulnerability in digital environments. Without integrating both perspectives, users—especially those navigating limited digital environments—remain disproportionately vulnerable. A more effective approach requires these policy areas to inform one another, ensuring that a lack of digital access, skills, or literacy does not lead to a cybersecurity risk.

Typically, the response to a cybersecurity risk is to eliminate that risk through system-level safeguards, secure design, and vulnerability mitigation. Cybersecurity policy and related frameworks like those developed by the National Institute of Standards and Technology and the nonprofit research organization RAND have naturally followed this structure. However, these frameworks have an underemphasized but important recognition: users themselves need more information and support to understand their vulnerabilities. Without a stronger effort to equip individuals, current frameworks risk protecting the infrastructure while leaving users exposed to malicious online threats.

This report aims to challenge assumptions behind both cybersecurity and digital divide policy by highlighting how human vulnerabilities—such as lack of access to secure infrastructure, low digital literacy, and insufficient digital skills—directly contribute to cybersecurity risks. While scams, fraud, and exploitative tactics are often framed as cybersecurity awareness issues, this perspective can overlook deeper, root causes that shape how individuals experience and respond to risk in an increasingly connected world. When we understand that human vulnerabilities are inseparable from cybersecurity risks, the path toward effective, integrated solutions becomes clearer.

The report begins by first defining what is meant by cybersecurity vulnerabilities and homing in on an important but underappreciated subset of these vulnerabilities—human vulnerabilities. The report then examines and critiques traditional narratives and assumptions that have hindered the recognition of human vulnerabilities in understanding cybersecurity risks, which in turn have limited the formulation of effective responses. Next, the report discusses a potential convergence in policymaking designed to bridge the digital divide and cybersecurity policymaking. The report concludes by discussing concrete policy solutions, informed by the groundwork laid by previous efforts related to addressing the digital divide, while underscoring the urgent need for more effective, equity-driven approaches. At the intersection of human and cybersecurity vulnerabilities lies the opportunity to build a more equitable digital future—one where all users are empowered to engage securely and confidently.