What Didn't Make It - The Cyber Escape Room Co.

On the ideas too spicy for the book (no, not that kind of spicy)

Hey did you know I wrote a book? Cause I totally did. And OK… I know… I KNOW I’ve already talked about it a lot. I know last week was about the book… and the week before was about it as well. And I promise I’m not becoming one of those people who just bangs on endlessly about the thing they wrote…

But it launched ten days ago and I’m still in that strange, slightly giddy window where things keep coming up… things I wanted to say, things I cut, arguments I softened because they felt too spiky / spicy for a document that was supposed to be useful rather than adversarial. So bear with me for one more week while I get it out of my system. After this I’ll move on. Probably…

Here’s the thing about writing a book, or in my case, a long-form piece of work that tries to argue something the industry doesn’t especially want to hear… you edit yourself. Not in the cowardly way, necessarily, but in the way of a person who wants to be taken seriously by the people they’re trying to persuade. You smooth the edges. You frame the challenge in a way that gives the reader room to agree without feeling attacked. Which is the right call, almost always… but it isn’t always the argument I want to make.

So… here are some of the things that didn’t make it. Or made it in a slightly more “socially acceptable” form. The ideas that felt, in the edit, like they needed to come with a little bit more padding than I gave them. So, if I didn’t have any manners… here’s what I’d have really written…

L&D teams are sometimes making cyber security training worse.

Before you all throw your arms in the air and get me tried for being a witch or a traitor… I definitely don’t mean that it’s through negligence. Or through lack of effort. Or that they’re terrible at their jobs.

It’s because… the instinct of a trainer, when handed a topic, is to make it clear and structured and digestible and accessible. Rationally, it makes total sense. Give people something easy to understand and they’ll.. well.. understand it. Right? Well… that isn’t how we actually remember things. We need that little bit of friction. A surprise. Something different. Our brains like to push themselves. We like to be curious and work things out for ourselves.

So, every time we smooth out a cyber scenario and hand people the answer on a plate, we’re optimising for the wrong outcome. I got close to saying this in the book and then softened it. Because again, I don’t want to be burned at the stake.

When the brain has to put some effort in, the learning sticks.

So, I opted to talk about friction. And designing for the right memory system.

Phishing Simulations Aren’t Training

As a lot of companies run them, phishing simulations are surveillance. The act of sending a fake email to catch people out, then using the failure rate as a metric for security culture, tells you almost nothing about culture and quite a lot about how the test was designed.

A well-crafted fake during a busy period with a plausible sender and an urgent call to action will catch almost everyone. A clunky one sent on a Tuesday morning when nothing is happening will catch almost no one. The result reflects the scenario… not the person. And yet organisations report these numbers to boards as though they mean something… and boards accept them because what else are they going to do?! Nobody in that meeting wants to be the one to say: actually, our main culture metric is basically noise.

“Awareness” Sets The Wrong Goal

Well, actually.. it’s not just that it sets the wrong goal. It’s also that it makes the wrong people responsible. If the goal is awareness, then the security team owns it, because awareness is about information transfer and information is their domain. But if the goal is behaviour, then the whole organisation owns it, because behaviour is shaped by every decision every manager makes every day.

Think about things like how incidents get responded to, whether people get blamed or supported, whether questions are welcomed or discouraged, whether the culture says “tell us when something goes wrong” or silently communicates “sort it out and don’t embarrass anyone.”

The moment you shift from awareness to behaviour… the security team becomes a collaborator rather than a delivery mechanism. That’s a much bigger ask than most organisations are ready for. The book talks around this. It doesn’t say it quite this directly.

The Industry Doesn’t Want the Problem To Be Solved

I went back and forth on this one quite a lot. And figured in a book about engagement, it probably wasn’t the right place to say it. I’m not talking conspirationally here either. So take it the wrong way. I don’t think there are boardrooms full of guys twirling their moustaches and deciding to keep cyber incidents high so they can keep selling training. Or at least I hope there isn’t anyway…

And before anyone comes for me… I’m certainly not saying I have all of the answers to solving things either. But just from an economics perspective, the training market is built on a problem that recurs… i.e. those human element numbers are consistently high… because the solution being sold doesn’t work well enough to eliminate the need for itself.

I mean, I guess that’s capitalism for you, and as a business owner I can hardly rail against that. But the incentive structure for security training does seem to point towards iteration rather than transformation. And I think transformation is where we really need to move to.

I said in the book that engagement is the entry point to everything that follows. I stand by that completely. What I perhaps didn’t say loudly enough is that the industry, as currently configured, has very little incentive to agree.

The book is still available if you haven’t grabbed it yet. It’s £17.99 and it argues all of the above, just with slightly better manners. Or get the free PDF copy from our website:

Free version: https://cyberescaperoom.co/attention-please

Hard copy: https://buy.stripe.com/aFa28t8kycV0gNj9LLafS00