You receive an email from your manager. They need you to send them something – urgently. You don’t want to let them down, so you quickly fire it across.

And then you find out that it wasn’t your manager sending you something. Nor was it your preferred supermarket sending you £500 in shopping vouchers the other day.

You’ve been phished.

The worst part is you start thinking about every interaction you’ve had lately and worry about what else could be compromised. Every click, every password, every email. Your natural reaction is to feel awful about yourself for making such a mistake. Self-doubt grips you.

While it is natural to feel this way, it doesn’t necessarily mean you’re the worst person to walk the planet. 

The language we often use in cyber security is framed to make us feel bad about ourselves for those moments of weakness, those lapses in judgement, when we fall for an attack. Fearmongering dominates the industry. And it’s time to change that, because it often compounds the problems it's trying to solve. 

The traditional narrative

The idea of ‘people, process, and technology’ underpins all cyber security. Yet, of those three, the focus is often heavily on people being the weakest link. Which, admittedly, isn’t entirely untrue. Weak passwords, emails sent to the wrong person, and falling for social engineering if we’re distracted are issues that are rife in people’s relationship with cyber security.

But they are also entirely understandable failings based on very normal limitations of the human mind.

It’s easy to blame people. Anger is also a natural reaction. It shifts responsibility and brings a sense of relief. 

I get why so many cyber companies lean on this trope in their sales. To successfully pitch to companies you need to draw on feelings that motivate people to take action. And, in the cyber industry, the ‘obvious’ feeling is fear. It’s an easy choice for creating the same sense of urgency as realising you’ve been phished.

But… has blaming anyone ever had a net positive result?

If fear is all you have to sell, then I fear you might not truly understand the power of your service offering. For many other industries, we’re quick to judge an ambulance chaser or when negative feelings are profited from. We see that as obvious emotional manipulation. But not so with cyber security. Hmm.

How this narrative works

Sure, fear is a powerful tool. But it’s also risky. If done incorrectly, it triggers our natural flight response – which is a powerful way to get people to simply run away and ignore the issue.

That probably isn’t the result you want if your goal is to persuade someone to buy.

Security awareness programmes often really lean into that fear aspect: “you are the risk if you do something wrong”, “you will cause a massive breach and data leak if you’re not paying proper attention”. While this is correct and logical, this approach invokes shame and anxiety in people (who will tend to do anything, no matter how illogical) to avoid those feelings, so when they do make a mistake, they are far more likely to hide it and avoid responsibility. 

Surely there’s a more productive and effective way of convincing someone to take action to protect themselves? After all, cyber security is a journey, right?

We all know there’s more to cyber risk than just human vulnerability. It’s a combination of factors that can look on the surface as a single point of failure (that often happens to be a human). Company culture, systems, tooling, habits, biases… There’s so many factors at play across your people, processes, and technology. You don’t know what you don’t know. So why not focus on finding things out, so that you do actually know, you know?

A better way

Instead of treating humans as the weakest link, we should see ourselves as a vital part of the overall strategy. You can frame humans as a centre of risk and liability, or as a net positive contribution.

And, for us to perform our role to the required standard, we need to be both enabled and empowered.

Laying an educational foundation, rather than one built on fear, moves the focus from the individual to a systemic level — encouraging a wider security-focused culture.

Instead of telling organisations they’ll certainly get breached and human error increases this risk, consider explaining how you’ll achieve protecting their data and why this matters in the here and now. This is far easier to connect with, and less easy to ignore. 

Provide training that doesn’t just scare people into avoiding the problem or owning up to an issue before it gets worse. Equip people with the knowledge to solve issues on their own. Offer illustrations of real scenarios and demonstrate how both individual and systemic changes can have a deeper impact than fear.

Need to update your marketing messaging? Drop me a message and let's talk.