September 15, 2025
Why “we already have that data” is bullsh*t
CybSafe’s CEO and founder Oz Alashe unpacks why your colleagues keep missing the point on behavioral risk – and what to do about it
Cynicism towards cybersecurity advice and tools is high. And…so is the threat level.
The gnarliest part? One feeds the other. And vice versa.
It’s a never-ending cycle, or so it seems.
But there is a way out. We can explain. And it starts in people’s minds.
That’s how many people feel about cybersecurity. The “Oh Behave!” Annual Cybersecurity Attitudes and Behaviors Report 2023 revealed how of its 6,000 worldwide participants:
Fixing this is only the beginning. But unless we fix it, other efforts will only ever go so far.
Research (like this paper) suggests that interventions are more effective when they account for individual differences.
This means ditching the “one-size-fits-all” approach and tailoring strategies to the specific needs and vulnerabilities of each unique human being.
It’s not easy. But it’s not as hard as you think, either.
And it’s the best way to help people to protect themselves from cyber threats.
It starts with trust. And stopping the cyber-nag.
Wipe your feet! Say thank you! Wash your hands!
These are all reasonable things to do. So why is that rage and irritation rising? Is your inner rebellious teenager taking over your usually rational self?
Yep. That’s how your people feel when you nag them about cybersecurity.
That feeling you get when someone tells you what to do…especially about things you feel you control?
Psychological reactance. That’s its name. It’s hardwired into all of us. And…it’s a major cybersecurity roadblock. (Want a deeper dive? We like the way this blog post explains it.)
Think about the average security training session on offer. Dry lectures, endless dos and don'ts, and that suffocating feeling of being micromanaged. No wonder people tune out.
And no wonder people don’t trust the interventions. They don’t change people’s risk.
Forget the tired lectures and finger-wagging. It's time to ignite a spark in your people, a spark that turns them from passive listeners to active defenders. Here are some ideas to get you started:
1. Talking "why," not "what": Instead of barking orders, it pays to tap into what keeps people up at night. Do they worry about protecting their families? Boosting their careers? You can show people how cybersecurity connects to their personal goals, how safer habits can unlock those doors. Try to lose the security jargon—speak their language, their hopes, their dreams.
2. Ditching the ego, embracing empathy: Showing your humanity is powerful. For instance, sharing your own real-life security snafus. People respond well when you acknowledge their concerns. Show them that you get it—you understand that technology can be frustrating, and that remembering passwords can be a pain.
3. Helping to unleash the inner hero: No one wants to be a cog in the security machine. Help people see themselves as the protagonists, not the damsels in distress.
4. Showing > telling: Where can you use simulations, practical exercises, hands-on demos? How can you give people a playground to experiment, to fail, to learn? Let them see good security practices in action, not just hear about them in theory.
Remember when we said it’s important to think about each unique human being?
We meant it.
Security awareness personalization. It’s vital. Here’s what the Quirks report has to say about why:
There’s a lot more to this. Of course there is. Humans are complicated. Fascinating. Often underappreciated in cybersecurity.
You might be wondering:
Which is why it’s well worth taking a peep at [LINK: the report] for the full picture. But as well as that, you might find it helpful to check these resources out too:
CybSafe’s guide to security awareness personalization
Blog: Can fun personalization really change security behaviors? Read now
Blog: The three big concepts behind cybersecurity personalization. Read now
How CybSafe helps security teams avoid triggering people’s inner teenager (psychological reactance)
GUIDE: Tailoring, not dictating: CybSafe GUIDE personalizes security advice based on individual roles, responsibilities, and even risk profiles. This avoids the “being told what to do” feeling. Instead it empowers people to take ownership of their security behaviors.
PHISH: No dry drills or theoretical scenarios here. This is about learning by doing. CybSafe PHISH throws realistic simulated phishing attacks at people. It lets them experience the pressure and make choices in a safe environment. This hands-on approach builds their critical thinking and confidence in identifying real threats…without the frustration of receiving a dry lecture.
RESPOND: Mistakes happen, but CybSafe RESPOND focuses on learning and improvement, not finger-wagging. Reporting suspicious activity is a collaborative effort, not a fear-inducing chore. This positive reinforcement empowers people to actively participate in building a stronger security culture.
In the high-stakes game of cybersecurity, all proven tactics deserve a seat at the table.
That means personalization and gamification deserve a seat at your table.
They push interventions beyond generic one-size-fits-all approaches, and help you craft experiences that resonate with people.
When you do that, good cybersecurity habits stick…like Velcro.
Download the full report for more about personalization interventions—like the 3 key factors that drive every action anyone takes, ever!
