Posts by Amy Stokes-Waters
Attackers Engineer Behaviour. Defenders Explain It.
Attackers are not doing something fundamentally different to security awareness teams. They are simply better at it. Both are trying to influence behaviour, interrupt habit, and push people away from their default responses. The difference is that attackers openly social engineer, while defenders insist on explaining social engineering as if behaviour changes through understanding alone.…
Read MoreYou Can’t Change Behaviour By Telling People What To Do
Training doesn’t survive pressure. Rehearsal does. Stop teaching slides. Start building instinct under fire.
Read MoreAwareness Is The Outcome
Awareness is treated like a task to be completed, measured, and filed away. But real awareness doesn’t arrive on a schedule or live inside a dashboard. It shows up later, under pressure, as recognition, hesitation, judgement. And if it’s not there when it matters, the work never really happened. We keep saying “awareness” as if…
Read MoreBefore Frameworks, There Were Fairytales
On why narrative beats instruction.
Read MoreAttendance Doesn’t Equal Engagement
If someone can attend your training without thinking, feeling, or changing how they behave, engagement never happened. This is about the difference… and why it matters more than completion rates ever will. Cyber teams love the word engagement. It sounds warm. Reassuring. Progressive. But nine times out of ten, what they are really measuring is…
Read MoreThe Engagement Paradox
On cyber awareness, and why it keeps failing. In cyber security, we bloody love the word “awareness”. It goes into strategies and programmes. We measure it. We report on it (kind of). We even dedicate a whole bloody month to it, worshipping the idea as if it’s an end state in its own right. And…
Read MoreAttention Seeking B*tch
Why being an attention-seeker makes me better at producing outstanding cyber security training. Let’s get the title out the way first. I’ve been called an attention-seeker most of my adult life. Sometimes it’s affectionate. Sometimes it’s a joke. Sometimes it’s said with the full intent of landing as an insult and staying there. I’ve never…
Read MoreWhy We Occasionally Say Fuck
We like a well-timed F-bomb. I like them a lot, if I’m honest. Within our professional content, though, we use them sparingly and on purpose. You may have noticed. Some of you may hate us for it. We certainly hear about it. People comment. People talk. Which, frankly, is part of the point. We don’t…
Read MoreWe Don’t Protect Ideas. We Apply Pressure.
Most organisations talk about innovation like it’s a badge you earn once and pin to your chest forever. We’ve learned the harder, more honest truth. Innovation doesn’t survive on intention. It survives on challenge. That belief shaped how we build our board and why we built it to push back, not clap along. Most companies…
Read MoreThe Definitive CISO Gift Guide
You know how regular gift guides tell you to buy personalised wash bags, grooming kits, and drones? Yeah… no. This is for the people who spend their days blocking hackers, herding vendors, wrestling auditors, reporting to the board, and drinking strong black coffee because, let’s face it, decaf is for amateurs. Here are your go-to…
Read More