The “human factor” in cybersecurity gets a lot of attention, you’ll usually hear people say things like “humans are the weakest link”. Well that’s not exactly news and blaming people for being human is like shaking your fist at the sky when it rains. Technical controls (like an umbrella in a downpour) are generally a better strategy.

I mean, you can blame people for getting caught in the rain or you can give them umbrellas, right?

Still, security awareness is and will remain an important part of any security strategy, and getting people to understand and care—”hey, yo, rain happens, you might get wet”—”you might get mugged”—is the hard part. You can’t and won’t move the needle by a lot but you can move the needle a little, and it is worth dedicating some resources of time and money to doing so.

That means metaphors. Communicating security risk to non-technical people is like explaining particle physics without math. It’s all a bit handwavy and not quite exact but there’s really no alternative.

“Cyber street smarts” is one way of communicating the problem that I’ve found effective. Everyone understands (or, frankly, should understand) the risks to their physical safety in a big city. Any big city in any country, for that matter—not picking on any specific city. Any big enough city has enough street crime that you should be aware of your surroundings and not put yourself in a vulnerable position.

What makes this conversation harder is that cyber street smarts address invisible things. Invisible muggers with invisible guns who wants to steal your invisible wallet. It’s enough to make a non-technical person exclaim in frustration that we’re all paranoid.

Yet all the same the risk is real, the invisible muggers are real, and they really are out to get you.

Or maybe not you, specifically. They may simply be out to get anyone, and don’t care much who they get as long as they get someone.

That's why cybersecurity people are constantly talking about bears and campers in the woods. We don’t have an outdoors fetish but sometimes letting your friend get eaten is the best way to survive.

Not your friend at work, obviously—your friend at another company. And then things get weird because metaphors break down under close scrutiny.

Security awareness training is overemphasized as a tool to meaningfully reduce security risk, but that is neither a cause for despair or a good reason to abandon security awareness training, but rather incentive to pragmatic realism—mitigate risk with what you can, within your budget, given your threat model and your users.

And then go focus on technical controls that offer much greater Security ROI.

Umbrellas against it raining invisible muggers, anyone?