The decades-long pursuit of perfect security has created a toxic culture of blame that paradoxically makes organizations less safe.
Dr. Erik J. Huffman, a Cyberpsychologist and NIST Research Collaborator, argues that treating employees as a strength instead of a weakness can drastically improve organizations' resilience and response to threats.
Huffman suggests reframing cyber threats as psychological rather than using attack-based metaphors can help organizations engage employees more effectively.
In chasing the unattainable goal of perfect security, cybersecurity professionals unintentionally create a culture of blame that can burn out teams and warp incentives. A growing cohort suggests that the more effective approach is to design for the realities of human nature rather than trying to achieve ultimate technical control.
One expert spearheading this school of thought is Dr. Erik J. Huffman, a Cybersecurity Researcher, Cyberpsychologist, and two-time TEDx speaker. As a Research Collaborator with the National Institute of Standards and Technology (NIST), Huffman is deeply immersed in the study of how the human brain functions in a cyber environment. He believes the industry must abandon its flawed premise of security and embrace a new framework centered on safety.
"Secure doesn’t really exist. The only thing that exists is an acceptable level of insecurity, and when we chase ‘secure,’ we just run ourselves into the ground," says Huffman. His central point is a reframe of the entire problem. Secure, he explains, is an impossible technical state. Safe, on the other hand, is a psychological condition that allows people to operate effectively within an inherently insecure environment.
A mental seatbelt: To illustrate, Huffman raises the analogy of driving a car. "That in itself is a risk, but you wear your seatbelt. If something happens, you feel safe enough." The sense of safety is what enables people to get to work and other places they need to be. Such a change in perspective suggests a need for organizations to foster a human-centered approach that empowers employees to work with confidence. "If I don’t feel safe, safety doesn’t exist. You can tell someone they’re secure all day long, but until they feel safe enough to do their job, it doesn’t matter."
This view challenges the long-held assumption that humans are the weakest link. While industry data shows that the vast majority of breaches involve a human component, Huffman says framing people as the problem creates a culture of fear where employees are afraid to report mistakes. "It's a slap in the face to a lot of people to say, 'hey, you're a problem.' And now they're scared for their job." That silence is an attacker's greatest ally, as a delayed response to a breach dramatically increases risk and financial impact.
Pressure to click: Bad decisions, Huffman explains, are often a predictable outcome of the emotional hot states that many modern business cultures inadvertently promote by glorifying qualities like being fast-paced. "If employees get an urgent email from someone posing as the CEO, their instinct is to comply to make sure they don't lose their job. Those types of behaviors make sense. That's just real people living real life and it causes actual data breaches."
He advocates for treating humans as a strength rather than a weakness, which requires a leadership style rooted in inquiry. Understanding the human context behind a click, he says, is more effective than shaming users for their failures. "I ran a campaign where a person who clicked told me they were going through financial and personal issues. Once you get the context, it starts to make sense. If you don't understand the context of why this person clicked a link, you're missing a lot."
Context also matters immensely when deploying new AI tools. Huffman cautions against giving AI the wholesale ability to make decisions. "If you don't have a human in the loop and you're blindly trusting something, that's a security risk. You absolutely need to keep a human in the loop to understand the context, because an AI solution may not make the decisions you would want it to make within the context of your organization."
Shame game: One surprising factor that's obstructing innovation for both individual organizations and the industry as a whole is embarrassment. Huffman asserts that the fear of reputational damage can prevent organizations from sharing details of a breach, which allows attackers to copy and paste the same exploits over and over. "We can learn a lot from sharing information like downfalls and near misses, but companies want to protect their reputation more than they want to protect their neighbor."
Numb to the numbers: The irony, he says, is that the public has become so accustomed to data breaches that this fear of reputational damage is largely unwarranted. "So many breaches have happened that people are just so used to it now." While rare exceptions like 23andMe's bankruptcy and subsequent distress sale exist, most breached companies survive without issue.
The solution, he suggests, calls for changing the story. He finds the common framing of "cyber warfare" can alienate everyday employees. "Telling an accountant that they are now in a cyber war—some people aren't built for that. They don't want to fight a cyber criminal." To help humans become more reliable defenders, he advises shifting the narrative away from combative metaphors and toward the principles of psychology. "It makes more sense to people if you reframe it around manipulation and explain that someone is trying to fool them. People are okay with that because they don't want to be manipulated or fall for lies."
