• 20 May, 2025
• No Comments

Why Security Culture and Human Factors Matter More Than Technology

I’m sitting here at my desk with my third coffee ingested and I’m thinking that security is not only fancy tech or shiny firewalls (although I kind of like it as well). It’s about people. The real humans on the system — those walking, talking vulnerabilities as well as your best defense. Having spent time in the trenches since ‘93—starting as a network admin wrangling muxes for voice and data over PSTN — I’ve experienced how even the most robust network becomes useless without a human firewall.

Or the whole Slammer worm mess? It went viral because someone somewhere let down their guard. It’s a classic tale, right? When the people behind the tech aren’t equipped, or worse, interested in doing their part, technology is only as good it can be.

Why It Pays to Be Paranoid, and Other Security Lessons From 2018

Here’s the rub — your staff can be your best security asset but also your biggest liability. Why? And that’s because people are not machines. They fuck up, lose focus, have bad days, or simply don’t understand the effects of their clicks.

Taking people out of the security equation, however, is like getting into a car without a driver. Yes, you can automate and layer on things, but — well — humans are the pedals and the steering wheel at the end of the day.

One of my clients — a bank I professionalized recently with a zero-trust upgrade — had all the tech bells and whistles. Yet the largest breach attempts made were for phishing emails that were opened by even otherwise savvy employees. No tech would’ve prevented that save their own and timely reporting.

So basically, here’s the deal – you’ve got to turn your security culture from seeing people as a liability to becoming them vigilant defenders, because the good news is, you can do that.

Effective Security Awareness Training

Let’s be clear here: boring, annual “click the link” phishing courses … DO NOT WORK. They forget, they lose interest, or worse — they feel blamed and shut down.

In my experience, positive is a huge aspect of effective security training, not because we need everyone with their head in the stars, but because positive is more effective. That doesn’t mean scare tactics, or guilt trips.

Some tactics that have been successful:

• Microlearning modules: Quick, focused lessons you can take during a coffee break. No one feels like sitting through two hours of webinaring after lunch.
• Real-world scenarios: Employ case studies from your industry — or better, your company (obviously, don’t name offenders) — to make risks more concrete.
• Reward: Commend employees who identify a phishing attack or report anything suspicious. Believe me, a big shout-out can mean the world.
• Shunning blame: Don’t make mistakes a reason for getting fired. Folks have to feel safe owning up to mistakes.

Game-based Security Practices

Here’s where it gets interesting — and yes, I’m a sucker for gamification. I have just now returned from DefCon’s hardware hacking village, and those folks can make a game of security.

Gamification of security training or reporting can increase participation. Think leaderboards, badges, team challenges — but keep it real. No one wants to feel forced.

Try tossing in things like:

• Phishing drills with teeth: One of the deadliest corporate crimes is the spoof email; retrain your staff to help bring the walls of deceit crashing down.
• Escape room-style puzzles: Diagnose a problem with a system or find a security hole in a simulated setup.
• Competitive collaboration: Departments compete against each other around security knowledge or compliance.

One of the banks I recently worked with, who rolled a gamefied program, blew these numbers out of the water with cost related to engagement and clikcs on Phishing cut in half on some cases.

Measuring Security Culture

You can’t manage what you don’t measure. But it’s difficult to measure something as intangible as “culture.” Traditional metrics such as reports of incidents or clicks are a beginning, but they don’t tell the whole story.

Here’s a guide for taking the security culture pulse a little more effectively:

• Employee attitude (not just knowledge) toward security surveys.
• Follow-up and monitoring of attendance during training and gamified activities.
• Surveillance of reported doctrine and near misses.
• Systematically soliciting feedback on policies and how communication is working.

But don’t become too obsessed with numbers only. Culture is about behavior and mindset, and that needs qualitative hangs out as well.

Leadership’s Role

No one culture succeeds without leadership buy-in, period.

If a company’s C-suite approaches security like a tick-box, guess what? Your workforce will too.

As a security consultant who just finished guiding zero-trust implementations for some large banks, my view is that leadership should be seen as the face of security. That means:

• Discussing openly the risks and their own security practices.
• Making investments in education for employees.
• Reinforcing positive security behaviour rather than just punishing errors.
• Being an example even in small ways (yes, even password hygiene—that’s a personal pet peeve of mine).

Establishing Good and Lasting Habits of Security

Behavior change isn’t a switch; it’s more like cooking a slow stew — you need the right ingredients, patience and consistent heat.

Behavioral psychology teaches us that blame-based messages push people away. Instead, emphasize motivation and continued support.

Some habits that stick:

• Making security practices so much a part of the day that they become second nature.
• How to remind people — without nagging — to stay safe.
• Promoting support and learning between peers.
• Greater transparency about threats, so employees feel a connection to the “why” as well as the “do.”

Quick Take

• Your people: the first defenders in the chain of your security system.
• Training: Make it brief, upbeat, authentic.
• Gamify for engagement, but gamify with purpose.
• Metrics: track attitudes + actions vs clicks only.
• Security has to be the priority for leadership, no question.
• Change takes time — don’t expect miracles overnight.

One last thing: I’m still a little wary of any security solution that markets itself as AI-powered—as if anything associated with artificial intelligence were mana from the gods. Tech’s vital, yes, but people? Even more so.

So, if you’re mulling an investment in your organization’s cyber resilience, don’t go out and buy firewalls or fancy NOCs. Invest in your human firewall. It’s the layer that marries technology to actual protection.

And hey — if you ever want to trade war stories from the good ol’ days of PSTN muxing, or figure out how to build that culture from the ground up, you know where to find me.