“Humans are the weakest link.”

Some of the people that use this phrase are well-intentioned. In fact, some of them even use it to try to elevate the importance of people. They think they are helping and being enlightened.

They might say:

• “People are the weakest link”, or
• “Users are the single biggest problem in cyber security”, or
• “The largest problem sits between the chair and the computer.”

On the face of it, these are all ways of saying that cybersecurity is not complete unless it accounts for how people behave.

Which, of course, is true.

The issue is this: People being “the problem” isn’t a helpful way to express this situation. And it’s not accurate. It’s overly negative. It’s lazy. And it doesn’t really make sense.

Saying that humans are the weakest link (in cybersecurity)” is a bit like saying the weakest link in a sports team is all the players. Besides, is there any other “link” of relevance? A mistake doesn’t make you “weak” in this context.

The person is part of the system, just like the technology, the processes, the policies. That system has multiple moving parts that act in lots of different ways and are under different constraints and pressures.

Good news: Academia really is doing an incredible job of debunking the “weakest link” view. There’s an enlightening study on human factors by Shari Pfleeger, Angela Sasse and Adrian Furnham, which goes some way to addressing this. It’s well worth reading.

The technology we put in place for our people must be usable. We must do more to create conditions and environments in which we make it easy to be secure. We need to design systems, technology, and processes that make doing the right thing the easiest thing.

And we need to engage our people. To help them understand how they can be secure without compromising their productivity. We need to stop overloading them smashing their “compliance budget” when we know there is only so much people can absorb. Awareness ‘training’ simply isn’t enough on its own.

My prediction is that we’ll start to see fewer people using the “weakest link” language as more of us start to genuinely understand human behaviours and the impact this has on security.

The sooner we do that, the better.

Many people who talk about people being the weakest link simply haven’t stopped to think. They mean well. But there are far better ways to acknowledge the importance of the user.

The bottom line: It’s high time we retired this tired trope.

“Security Awareness training = better behaviour”

This one is everywhere, and it comes in many forms, like:

• “The way to positively influence the human aspect of cybersecurity and user security behaviours is through training and education.”
• “Great Security Awareness education and training is generally a good use of workforce time.”
• “Education and engagement = better user behaviour (behaviour change) and reduced cyber risk.”
• “If we deliver great/better Security Awareness content and training then people will engage, learn and apply their knowledge, which will result in improved security behaviour.”
• “Education and engagement automatically lead to reduced cyber risk. They are a good thing irrespective of whether they actually change the security behaviours that matter.”

These statements are just nonsense. Let me explain.

There is no evidence that more training equals better security behaviours. In fact, there is evidence to suggest that we can train people too much and create an over-reliance on training.

Think about it: There are doctors who smoke. Knowledge in, behaviour change out is just not how behaviour change works.

So, this means that we need to stop and think: What do we actually want?

Do we want people who know and understand more? 

Or… Do we actually want behaviour change, and it’s more that we believe awareness is the route there?

If the goal is behaviour change, we need to look beyond education. Because the truth is, you can change behaviour without increasing knowledge.

And when it comes to cybersecurity, behaviour change—not awareness—is what reduces risk.

“If we can nail engagement, we’ll nail risk reduction.”

Stop me if you’ve heard this one before:

• “Education and engagement = better user behaviour (behaviour change) and reduced cyber risk.”

Like the last set of myths, this is a pervasive one. There are countless cybersecurity vendors selling interactive “fun” training, competitions, and games based around security awareness.

It’s hardly surprising, therefore, that we have whole security teams who genuinely believe that if they could just increase “employee engagement in security” they would see better security behaviours being exhibited.

But again, just like the last example, there is no scientific evidence to back this up.

(Plus, WTF does “engagement” mean anyway? And how many professionals out there are actually attempting to measure it?)

“Security Awareness is *actually* about so much more than awareness.”

• “Security Awareness means so much more than just awareness. Effective Security Awareness improves more than awareness. It improves the whole culture.”

So, we know that lots of people out there will try to tell you that security awareness is about more than “awareness”. They may throw around the word “culture”. They’ll probably conflate knowledge and behaviour change.

What’s happening here is an unhelpful blurring of lines, and mixing an action with a desired outcome. It’s extra-strength wishful thinking.

Spend a few minutes reading about behavioural science and you won’t be able to unsee it: behaviour change requires so much more than awareness.

If we’re being honest with ourselves, for as long as we term it “awareness”, the human aspect of cybersecurity will forever be constrained to training, education, and communications.

This simply isn’t enough to influence human behaviour. Therefore, it’s not enough to impact cybersecurity risk.

 “Security culture is the golden ticket to risk reduction.”

Few phrases get thrown around as freely as “security culture”.

But most people who use the term aren’t clear on its true meaning. Ask a bunch of professionals and you’ll get a range of answers like:

• “It’s everything to do with the human aspect of cybersecurity.”
• “It’s just behaviour.”
• “A good security culture is when there’s high engagement and knowledge.”

In other words, the phrase means all things to all people. And people love to talk about it, regardless of whether their security culture is making much of a difference to actual human behaviour.

What is security culture? Well, it’s the shared values, attitudes, perceptions and beliefs that shape what happens (from a security perspective) in an organisation or group.

When we fail to define it, we end up with another vague, feel-good term that won’t translate into real risk reduction.

“Good communication, messaging, training, and education = good security outcomes.”

When it comes to the human aspect of cybersecurity, most organisations’ desired security outcomes rely on better security behaviours, as well as values, attitudes, and beliefs (culture) that support these outcomes.

Good communication, messaging, training, and education can’t deliver these things on their own. In fact, they often waste resources, take up time, and even get in the way.

But this type of security awareness dogma often blinds organisations to more effective alternatives, like:

• Persuasion: Attempts to change attitudes or behaviours or both (without using coercion or deception)
• Behaviour nudges: Subtle attempts to influence behaviours and choices without restricting freedom or economic incentives
• Reminders: Direct prompts or alerts designed to jog memory
• Goal setting: Planned steps to reach a target
• Incentivization: Creating expectation of reward
• Coercion: Creating expectation of punishment or cost
• Restriction: Using rules or controls to reduce the opportunity to engage in the target behaviour
• Environmental restructuring: Changing the physical or social context
• Modeling: Providing an example for people to aspire to or imitate
• Enablement: Increasing means / reducing barriers to increase capability or opportunity

These are all techniques and tools that can be used to reduce human cyber risk and impact the human aspect of cybersecurity WITHOUT an over-reliance on training, education, and communications. And they are often more scientific, measurable and data-driven.

Bottom line: There is far more to managing and reducing human cyber risk than training, educating, and raising awareness!

“Tracking metrics means lower risks.”

• “Security Awareness education, training and simulated phishing adequately address security behaviours, and mitigate risk.”
• “Training completion, engagement and simulated click/report rates are an appropriate way to measure effectiveness or impact on human risk.”

Many organisations mistakenly believe that Security Awareness metrics—like training completion rates, engagement statistics, and simulated phishing click/report rates—directly correlate to behaviour change.

The truth? These are just surface-level indicators that fail to capture real security behaviours.

These are tick-box metrics. They tell us whether someone has clicked something. They don’t really tell us whether the full gamut of human risk has improved.