Understanding the human factor in building security resilience