Complexity of Security (Part 1)

In cybersecurity, we often fall into the trap of believing that more is better. More tools, policies, and complex procedures must surely make us more secure. Unfortunately, this mindset has created one of the most pervasive vulnerabilities in modern organisations: “Complexity Itself.”

As security professionals, we have become our own worst enemy by building systems so complex that the very people we are trying to protect either cannot use them properly or actively work around them. It is time to acknowledge an uncomfortable truth: Complexity is the Nemesis of Security.

The Human Element: Not Everyone Speaks Security

The fundamental flaw in most security programs is the assumption that security awareness is “Intuitive” or "Common Sense." This assumption fails to recognise that people approach technology and security with vastly different mental models and comfort levels. In cybersecurity, we have designed systems for PC gamers but deployed them to organisations full of console gamers. We often question why adoption rates are low and compliance is inconsistent.

Consider the analogy of PC versus console gamers. PC gamers are comfortable with:

• Complex configurations      
• Multiple input methods
• Troubleshooting technical issues
• Customising their environment

Console gamers prefer:

• Plug-and-play simplicity
• Consistent interfaces
• Reliable, predictable experiences
• Minimal configuration

This mindset is further reinforced by the "smart" technology we use every day, such as phones and tablets. Like gaming consoles, the security features of phones and tablets are invisible to users, leading them to believe that they are secure when, in fact, the opposite may be true. Users are unaware of the complexities surrounding antivirus, anti-malware, and endpoint security. Therefore, it is essential to improve the way we communicate these issues.

Here are examples to consider:

The Overwhelming Maze of Modern Security

Today's organisations deploy an average of 45+ security tools across their infrastructure. Employees are expected to navigate multiple authentication systems, follow dozens of policies, and understand countless procedures—all while doing their actual jobs. This security stack often includes:

• Multiple password managers and authentication systems
• VPNs with different connection protocols
• Email encryption tools with varying interfaces
• Incident reporting systems with complex workflows
• Training platforms with overlapping content
• Compliance frameworks with conflicting requirements

This may be viewed as overly dramatic, it is important to consider the specific user group for each tool, as each comes with its own interface, rules, and potential pitfalls. When employees navigate this complex landscape every day, they naturally tend to follow the path of least resistance, often ignoring security controls altogether.

The Tower of Babel: When Technical Language Becomes a Barrier to “Babbel”

The complexity of communication within an organisation for security matters can be more damaging than we think. In security and technology, we have created our own Tower of Babel, where familiar words carry vastly different meanings depending on context, and technical jargon excludes the very people we need to engage.

Words That Mean Everything and Nothing

Consider how these everyday terms confuse rather than clarify:

• Key: In cybersecurity, this is an encryption key for securing data. Outside tech, it is a door key, a musical key, or a keyboard button.
• Hash: Refers to a cryptographic hash for data integrity but commonly means a hashtag on social media or a type of food/drug.
• Bug: A software defect that can be exploited, versus an actual insect or a listening device.
• Virus: A malicious program that self-replicates, as opposed to a biological pathogen.
• Firewall: A network security system blocking unauthorised access, not a physical barrier against fire.
• Cloud: Cloud computing services like AWS, versus atmospheric clouds or a metaphorical state of mind.
• Port: A network port for data transmission, rather than a harbour for ships.
• Cache: Temporary storage for faster data access in computing, or a hidden stash of items.
• Boot: Booting up a computer system, not footwear or kicking something.
• Spam: Unsolicited bulk emails, versus the canned meat product.

The Expertise Gradient

Organisations contain people across a vast spectrum of technical comfort:

• Highly Technical Users: understand complex systems and can navigate multiple tools effectively.
• Moderately Technical Users: can follow detailed instructions but struggle when systems behave unexpectedly.
• Basic Users: need simple, intuitive interfaces and clear, jargon-free guidance.
• Technology-Hesitant Users: are intimidated by new systems and need extensive support.

Most security training and policies are written for highly technical users, leaving 70-80% of the organisation struggling to comply.

Practical Steps Toward Simplicity

The following are simple steps that will help in the way tools and processes are used and will help by providing support to the users interacting with them:

Consolidate and standardise common patterns of the user interface, reduce training shock, and this can be as simple as colour, font, and the use of check boxes vs radio buttons.

Audit your security tool stack and eliminate redundancy. The high level of technical debit that can reside in security platforms and the duplication of service (e.g. multcoarseouters and or switches doing similar roles), devices being used in functions they are not designed for (this can be as simple as firewall rules vs ACL’s, they are fine and course grain applications of similar functions, i.e. work out where the service is best implemented and on what type of device)

Standardise interfaces across security tools where possible. Standardisation and the use of patterns may, during implementation, appear to be problematic and costly, but the downstream operational model is simplified, and the incident management process time is improved.

Create unified dashboards that aggregate multiple systems. The unification of dashboards provides an improved view of the ecosystem rather than individual points in time, which may not show the overall trending of events or provide a manner that they can be resolved before escalation.

How Liverton Security can help?

Liverton Security provides a suite of tools that simplify how your organisation supports its users while strengthening communication security and data protection. Our platform enables standardised secure communications, reduces manual security interventions, and enforces email data protection at scale.

Our solutions deliver:

•     Policy-driven secure email workflows

•     Automated data classification and protection

•     Threat and phishing detection with configurable controls

•     Centralised management, reporting, and compliance orchestration via SHIFT For Outlook.

By streamlining secure email processes, protecting confidential internal information, and detecting phishing and email-borne threats before they reach end users, Liverton Security delivers a low-complexity, enterprise-grade security architecture aligned with operational, regulatory, and risk-management requirements.

When we use these terms without context, we create confusion rather than understanding. An employee hearing about "patching" may not understand that the discussion is about critical security updates, rather than a physical fix in the office.

About Liverton Security

Digital technology has greatly expanded opportunities for businesses, but has also introduced complex security threats that organisations cannot ignore. Protecting people, critical data, and entire organisations requires proactive and continuous security strategies.

As an influential and respected leader in global cybersecurity, Liverton Security specialises in helping businesses and government organisations neutralise evolving cyber threats in the digital age.