PeterHoinville.com

,

Why scaring people into security is lazy, and what to do instead

Published by

hoinvip

on

I talk to a lot of people about digital security.  Too often, someone recounts their last conversation with a consultant who tried to win the work by frightening them.  I have watched it happen in real life.  Different bar, different badge, same routine.

The pandemic briefly paused the theatre.  Big events went online, then came back in hybrid form.  The hard sell did not vanish, but buyers got sharper and the good operators focused on what works.  That is a change worth keeping.

What never sat right with me is the basic tactic.  If you frighten someone into signing, you also teach them not to trust you.  You create a jumpy client who hears thunder in every cloud.  That is not partnership.  It is a dependency.

The worst example I have seen was in Las Vegas during DEF CON.  A self‑styled hacker was spinning a couple a tale of nation‑state doom.  Every buzzword got an airing.  When they admitted they kept passwords in a notebook at home, he mocked them and described how he could empty their accounts.

Here is the truth he did not know or did not want to say.  Writing down passwords is not a cardinal sin if you store them securely and away from the device.  It beats reusing weak passwords.  Better still, pick three random words for long, memorable passwords, use a password manager, and turn on multi‑factor authentication where you can.  If passkeys are an option, even better.

That is the theme here.  Respect people.  Design out the risk.  Do not put the whole burden on perfect behaviour.  Even the UK’s own guidance says to stop blaming users and build systems that limit the blast radius when someone clicks the wrong link.

Since COVID, a few things have hardened into the baseline.  Remote and hybrid work are normal.  Multi‑factor authentication has moved from nice to have to expected in many environments, and the advice is shifting toward phishing‑resistant methods where possible.  The angle is practical.  Make safer the easy default, then measure it.

If you are buying security, here is a quick way to tell the adults from the dramatists:

  • They describe real threats you actually face, not the “Hollywood” version of it.
  • They show how to reduce risk immediately with the kit and people you already have.
  • They can identify one or two key areas to improve, then report against them.
  • They explain trade‑offs in plain English and put the users first.
  • They will pilot, compare to a baseline, and admit if something did not work.
  • They never sell by humiliating your staff or your parents.

Fear can get attention.  It rarely builds trust.  The better path is simple.  Teach what helps.  Put controls in the right places.  Make the secure thing faster than the insecure thing.  Then prove it made a difference.

A note on the Vegas couple.  If I met them again, I would give them three practical options and give them a coffee, not a lecture.  Keep the notebook but move it somewhere safe.  Or switch to a password manager and let it do the heavy lifting.  Add multi‑factor authentication on email and banking first.  Small steps, big wins.

If someone tries to sell you security by making you feel foolish, walk away.  If they can show you how to make tomorrow measurably safer without drama, pull up a chair.  That is the work I care about, and the only kind of relationship I want to keep.

Sources

NCSC — Three random words (password advice): https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

NCSC — End‑user advice: writing passwords down can be acceptable if stored securely: https://www.ncsc.gov.uk/guidance/end-user-devices-advice-end-users

NCSC — Password managers and guidance on writing passwords down: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers

NCSC — The logic behind three random words: https://www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words

NCSC — Not all types of MFA are created equal (phishing‑resistant methods): https://www.ncsc.gov.uk/blog-post/not-all-types-mfa-created-equal

NCSC — Recommended types of MFA (FIDO2, passkeys): https://www.ncsc.gov.uk/collection/mfa-for-your-corporate-online-services/recommended-types-of-mfa

NCSC — Passkeys: they are not perfect but getting better: https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better

NCSC blog — stop blaming users and fix design: https://www.ncsc.gov.uk/blog-post/so-long-thanks-for-all-the-bits

Leave a comment

Hello,

I’m Peter

Welcome to my personal site.

Here, I invite you to enjoy my musings on a variety of topics.

I’d love to get feedback too to help me improve things. You can reach me via the ‘contact’ link in the menu at the top of this page.

At some point, I’ll be launching a modest newsletter – if you want to receive that, and other news in your inbox, please fill in the registration box below.

Thank you!

Sign up for the newsletter

Stay updated with my latest posts and thoughts by joining the newsletter.

Recent posts