Words: Jody Williams for the Security Awareness Team
Webinar Recording: Beyond Fear - Rethinking cybersecurity awareness by Brian Honan'“Do not cross this pasture unless you can do it in 9 seconds, because the bull can do it in 10.”
This farm‑gate warning is a favourite of security expert Brian Honan. It’s funny, memorable, and — most important — effective: you know exactly what will happen if you ignore it. Humour and clarity, he argues, beat fear and jargon every time when we’re trying to keep people safe online.
Brian, founder of Dublin‑based BH Consulting and creator of Ireland’s first national CERT, has spent 25 years helping everyone from small startups to global multinationals navigate cyber risk. “I’m a tech geek, I love technology,” he says, “but at the end of the day, everything we do is about people.”
That people‑centred philosophy powers his Beyond Fear approach to security awareness: stop scaring, shaming, and blaming users, and start building an environment — technical, organisational and cultural — that keeps us all safer.
Brian explores these ideas in depth in GEANT’s on-demand webinar, Beyond Fear: Rethinking security awareness to empower, not intimidate. Here, he explains why ditching fear-based messaging for a more empathetic, empowering approach is key to improving security.
Why the old security-awareness playbook stalls
Traditional awareness programmes were written by IT teams, and it shows. Email campaigns brim with jargon — phishing, smishing, quishing, vishing — and instructions are often unclear for non-technical readers.
“Once I was explaining phishing to my father, and he said, ‘Oh, you mean scams.’ We don’t need to invent cool buzzwords. Let’s use simple words people already understand.”
The second problem is structural. Most of the software we rely on at work and at home — operating systems, web browsers, applications — isn’t particularly secure. Even security tools, which are also often non-user-friendly: “MFA is a great tool to make things more secure, but we haven’t designed it to be easy or intuitive to use.”
“For most people, doing their job requires opening emails and attachments and clicking on links — yet we in the IT department tell them not to. But if we had secure systems, somebody clicking a link shouldn’t take down your network.”
The fact that it still can points to deeper failures — patching gaps, bad segmentation, insecure software — long before a user ever meets the email in question.
Blame culture and the price of shame
Because human error plays a part in most breaches, it’s still common to label users ‘the weakest link’. Brian rejects this mantra, which blames users for the risks arising from wider security flaws in their environments.
“Even the best of us fall for phishing — Troy Hunt lost his Mailchimp account that way. If that can happen to Troy, then John and Mary in Accounts don’t stand a chance.”
Simulated phishing campaigns that punish clickers only deepen mistrust. Some firms tempt staff with fake emails promising a bonus, then expose the ruse and assign training videos. The lesson employees learn isn’t caution, but concealment: reporting a mistake now means ridicule and punishment. “Continually trying to trick people doesn’t engender an environment of trust,“ says Brian.
Worse, it hurts real people. A recent UK survey revealed that 62% of cybercrime victims felt traumatised and 59% felt shame after the incident. Why would we simulate that experience for our colleagues?
Crucially, the traditional approach is also ineffective. For two decades we’ve created posters of shadowy hackers in hoodies and run “don’t click!” drills — yet the average employee still clicks a phishing link after just 21 seconds. Clearly, fear alone isn’t changing habits.
The Beyond Fear mindset shift
Beyond Fear replaces fear-based messaging with a person-centred approach emphasising understanding, responsibility and user empowerment. Brian sums it up:
“Stop ridiculing and punishing people for doing what the systems are designed to let them do.”
He advocates focusing on the impact of cyber breaches on people, rather than on computers and data and networks. “Cybercrime has real-world impact on individuals, from having their personal data leaked to losing their jobs if ransomware shuts down a business.”
The Beyond Fear approach combines four key principles:
1. Human-centred communication
Effective messaging comes from creativity, not scare tactics. Technical teams need help from communication pros who can translate risk into plain speech, memorable images and relatable stories. Brian collects signs like the 10-second bull warning cited above because they prove humour and surprise grab attention without alienating readers.
“A bit of humour is awesome. What’s more effective: a sign saying, ‘No speeding’ or one saying, ‘Drive slow and see our city; drive fast and see our jail?”
2. Positive reinforcement
Positive reinforcement, not punishment, is the guiding rule. BH Consulting’s email‑security tests therefore focus on systemic weaknesses rather than individual mistakes: their reports map every technical control a fake message slipped past, but don’t name who clicked.
When someone reports a suspicious email, Brian recommends an immediate, courteous reply: “Thanks, it was malicious and we blocked it,” or “It turned out harmless, but we appreciate you flagging it.” Feeling respected rather than ridiculed, staff are far more likely to keep reporting the next suspicious thing.
3. Secure-by-design technology
Software vendors still dodge liability with end-user licence agreements that amount to ‘use at your own risk’. This approach would be unthinkable in most industries:
“Would you eat in a restaurant that took no responsibility if the food made you sick?”
Software and hardware vendors, Brian argues, must shoulder real accountability. Until default settings are safe and interfaces intuitive, awareness campaigns amount to telling passengers to avoid injury by bracing in a car with faulty brakes and no seatbelts.
4. A holistic approach: the road-safety analogy
Seatbelts, airbags, speed limits, driver licences, police patrols — the entire road safety ecosystem works only because everyone shares responsibility. This didn’t happen voluntarily, but because legislators demanded it, forcing manufacturers to engineer out avoidable risk and drivers to pass tests.
Cybersecurity needs the same holistic approach: strong regulation, secure-by-design standards, vendor accountability and genuine user empowerment.
“Awareness on its own won’t make you secure. Firewalls on their own won’t either. All these things have to work in concert.”
What the AI age changes — and what it doesn’t
AI can now create perfect prose and mimic voices and faces. But the underlying con is the same. “Fundamentally, criminals are still trying to trick and scam people by getting you to do something you wouldn’t normally do. So, we need to focus security awareness on saying: pause and verify.”
Brian recommends having a family ‘safe word’ to verify urgent requests for help.
“If my mother ever gets a phone call from ‘me’ saying I’m stranded or need money, she knows to ask for the name of my first dog. An AI won’t know that.”
Institutions can adopt equally simple pause-and-verify procedures: no payment instruction changes without an out-of-band check; no research-data transfer without two pairs of eyes.
Practical starting points for research and education organisations
Brian recommends four steps to reduce the threat of social engineering:
- Measure the right things. Identify the behaviour change you want and work backwards to develop your messaging. Instead of counting clicks, track how many users escalate suspicious messages (and thank them). Rising reports signal growing vigilance and trust.
- Use plain language. Forget vishing and smishing: call a scam a scam. Swap ‘advanced persistent threats’ for criminals. Everyday wording makes it clear what the issue is and what action to take.
- Use free resources from ENISA and European Cybersecurity Month. ENISA’s Awareness Raising in a Box game offers an interactive alternative to death-by-PowerPoint.
- Implement robust verification. Require secondary confirmation for grant-transfer requests or supplier-bank-detail changes. Shared responsibility reduces single-point failure.
The research challenge: who will invent the cyber seat belt?
Beyond improving internal security awareness, Brian poses “a much bigger ask” to the academic community: develop tools that make security stronger and easier for everyone.
“We all hate juggling multiple MFA apps. I have at least four. Why can’t we have one MFA tool to rule everything?”
He invokes Nils Bohlin, the Volvo engineer who gave the world the modern three-point seat belt patent-free — a gift that has saved millions of lives.
“We need a cyber equivalent of Nils Bohlin to invent a tool that makes our systems and our online experience far more secure for everyone.”
Conclusion
Fear may grab attention, but it rarely changes behaviour for the better. By engineering safer systems, communicating with empathy, rewarding vigilance, and sharing responsibility across the whole ecosystem, we can treat users as partners rather than convenient scapegoats — and make the online world as survivable as that pasture with the bull.
About Brian Honan
Brian Honan is a globally recognised authority on cybersecurity and data protection. He is the founder and CEO of BH Consulting, an independent cybersecurity and data protection consultancy. Brian has been a driving force in developing national and international cybersecurity strategies and has served as a special advisor to Europol’s Cybercrime Centre (EC3). He is also a member of the Advisory Group of ENISA (European Union Agency for Cybersecurity), and a frequent keynote speaker, author, and media contributor on digital security topics.
