Sign up to save your podcasts
Or
Share The Human Factor in Cybersecurity: Behavioural Interventions That Work
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Human Factor in Cybersecurity: Behavioural Interventions That Work
Cybersecurity often feels like a battle of technologies—firewalls, AI, monitoring tools, but at its core, it’s human. People are both the first line of defence and, more often than not, the most vulnerable point. On a recent episode of Security Strategist, Richard Stiennon spoke with Nicole Jiang-Gibson, Chief Executive Officer of Fable Security, about why traditional training doesn’t work and how understanding human behaviour can fundamentally change an organisation’s security posture.
Humans are the Weakest LinkNicole’s journey in cybersecurity began long before Fable. She was an early member at Abnormal Security, where she helped build email security solutions. That experience exposed a recurring truth, and that was even the best technical safeguards can be undone by human error.
“Human error is really the number one cause at the beginning of cybersecurity incidents,” Nicole explains. “Phishing attacks are the number-one starting point—one click, one misstep, and suddenly the consequences are massive.”
She recalls the MGM Resorts breach as a turning point: an IT help desk employee took a phone call from someone impersonating an Okta admin, leading to a major security lapse. “Even with strong email defences, people were exposed in ways technology couldn’t prevent. That’s when I realised that this was a human problem we needed to solve.”
Seeing Security Through the Attacker’s EyesFable Security’s approach is rooted in understanding both the employee and attacker behaviour. Nicole describes it almost like a conversation at both sides of the table.
“Looking at security from the attacker’s perspective changes how organisations design interventions,” she says. Employees often don’t even realise which actions put them at risk. By understanding predictable behaviours, we can build targeted, timely interventions instead of generic training modules that people forget.”
The company leverages data to identify risky behaviours and reinforce safe ones. Richard notes that this can turn the math of phishing attacks in an organisation’s favour, reducing the likelihood of a click from 40 per cent to 2 per cent, for example, meaning attackers have to try 50 times to succeed once.
Reinforcement Not PunishmentOne of the major differences in Fable’s approach is how they treat learning. Traditional phishing simulations can leave employees feeling tricked or shamed. Fable focuses on reinforcement and repetition, creating a culture where security is part of everyday decision-making.
“We empower organisations with data to understand how employees behave and then help them stay one step ahead of attacks,” Nicole explains. “It’s not just about preventing business loss, it’s about protecting culture, brand, and employee safety.”
By shifting the focus from blame to understanding and from generic training to targeted behavioural interventions, organisations can finally address the human factor in cybersecurity with the seriousness and nuance it deserves.
For more information, visit fablesecurity.com
Takeaways- Cybersecurity is not just about technology; it's about people.
- Traditional training often fails to change behaviour effectively.
- Human errors are the leading cause of cybersecurity incidents.
- Fable Security focuses on understanding and changing human behaviour.
- The threat landscape is constantly evolving, requiring adaptive solutions.
- Organisations must view security as a supportive, not punitive, measure.
- Phishing simulations can be harmful if not conducted ethically.
- Building trust with employees is essential for effective security training.
- Employees can serve as valuable sensors for identifying threats.
- Meaningful behaviour change requires a shift in mindset and approach.
Chapters
00:00 The Human Factor in Cybersecurity
01:11 Fable Security's Origin Story
04:23 Understanding Human Vulnerabilities
06:01 The Attacker's Perspective
08:29 Fable's Ad Tech Approach
12:04 Revolutionising Security Training
14:37 The Ethics of Phishing Simulations
19:42 Building Trust in Security Training
22:56 Empowering Employees as Sensors
27:40 Steps Towards Meaningful Behaviour Change
View all episodes
By EM360TechCybersecurity often feels like a battle of technologies—firewalls, AI, monitoring tools, but at its core, it’s human. People are both the first line of defence and, more often than not, the most vulnerable point. On a recent episode of Security Strategist, Richard Stiennon spoke with Nicole Jiang-Gibson, Chief Executive Officer of Fable Security, about why traditional training doesn’t work and how understanding human behaviour can fundamentally change an organisation’s security posture.
Humans are the Weakest LinkNicole’s journey in cybersecurity began long before Fable. She was an early member at Abnormal Security, where she helped build email security solutions. That experience exposed a recurring truth, and that was even the best technical safeguards can be undone by human error.
“Human error is really the number one cause at the beginning of cybersecurity incidents,” Nicole explains. “Phishing attacks are the number-one starting point—one click, one misstep, and suddenly the consequences are massive.”
She recalls the MGM Resorts breach as a turning point: an IT help desk employee took a phone call from someone impersonating an Okta admin, leading to a major security lapse. “Even with strong email defences, people were exposed in ways technology couldn’t prevent. That’s when I realised that this was a human problem we needed to solve.”
Seeing Security Through the Attacker’s EyesFable Security’s approach is rooted in understanding both the employee and attacker behaviour. Nicole describes it almost like a conversation at both sides of the table.
“Looking at security from the attacker’s perspective changes how organisations design interventions,” she says. Employees often don’t even realise which actions put them at risk. By understanding predictable behaviours, we can build targeted, timely interventions instead of generic training modules that people forget.”
The company leverages data to identify risky behaviours and reinforce safe ones. Richard notes that this can turn the math of phishing attacks in an organisation’s favour, reducing the likelihood of a click from 40 per cent to 2 per cent, for example, meaning attackers have to try 50 times to succeed once.
Reinforcement Not PunishmentOne of the major differences in Fable’s approach is how they treat learning. Traditional phishing simulations can leave employees feeling tricked or shamed. Fable focuses on reinforcement and repetition, creating a culture where security is part of everyday decision-making.
“We empower organisations with data to understand how employees behave and then help them stay one step ahead of attacks,” Nicole explains. “It’s not just about preventing business loss, it’s about protecting culture, brand, and employee safety.”
By shifting the focus from blame to understanding and from generic training to targeted behavioural interventions, organisations can finally address the human factor in cybersecurity with the seriousness and nuance it deserves.
For more information, visit fablesecurity.com
Takeaways- Cybersecurity is not just about technology; it's about people.
- Traditional training often fails to change behaviour effectively.
- Human errors are the leading cause of cybersecurity incidents.
- Fable Security focuses on understanding and changing human behaviour.
- The threat landscape is constantly evolving, requiring adaptive solutions.
- Organisations must view security as a supportive, not punitive, measure.
- Phishing simulations can be harmful if not conducted ethically.
- Building trust with employees is essential for effective security training.
- Employees can serve as valuable sensors for identifying threats.
- Meaningful behaviour change requires a shift in mindset and approach.
Chapters
00:00 The Human Factor in Cybersecurity
01:11 Fable Security's Origin Story
04:23 Understanding Human Vulnerabilities
06:01 The Attacker's Perspective
08:29 Fable's Ad Tech Approach
12:04 Revolutionising Security Training
14:37 The Ethics of Phishing Simulations
19:42 Building Trust in Security Training
22:56 Empowering Employees as Sensors
27:40 Steps Towards Meaningful Behaviour Change
More shows like The Security Strategist
View all
Conversations with Tyler
2,452 Listeners
The Daily
113,520 Listeners