Complexity of Security (Part 2)

Recent industry research shows that under-reporting of security incidents is widespread and driven by human and cultural factors rather than simple oversight. Employees, including cyber professionals, avoid reporting breaches out of fear of job loss or punitive consequences, while half of employees admit they are hesitant to report security errors due to fear, lack of confidence, or unclear procedures.

Deep-seated cultural barriers, such as blame-oriented environments and hierarchical pressures, further suppress honest reporting. In workplaces, employees are instructed not to disclose breaches, reinforcing a culture of silence that undermines organisational resilience. Structural issues like overly complex reporting processes, lack of anonymity and the perception that reporting yields no meaningful results also deter incident reporting.

Enable 'Do Not Scare' and Explain Why Simplicity is More Powerful.

As security professionals supporting organisations, we need to provide training and support to management and staff and stop scaring them into cybersecurity compliance. It is our job to empower them instead by:

Ditching the blame game: Instead of asking "who clicked that dodgy link?" ask "how can we make reporting incidents feel safe?" The fastest way to kill incident response is by making people afraid to speak up.

Building trust, not fear: Employees who trust their organisation are more likely to follow security protocols, report suspicious activity, and take ownership of their role in protecting the business.

Starting small, thinking big: Real culture change happens through consistent, manageable habits. One properly configured password manager beats a dozen complicated policies that no one follows.

The Fear Factor: When Complexity Breeds Non-Compliance

Complex security environments create a perfect storm for non-compliance and under-reporting. Research has consistently shown that complexity leads to:

Fear of Reporting

When incident reporting requires navigating complex systems or using technical language, employees often choose silence over confusion.

They fear:

• Looking incompetent, by not understanding the system
• Providing incorrect information due to confusing terminology
• Blame for not following unclear procedures
• Wasting time on complex reporting workflows

An incident reporting and disclosure survey by Keeper Security has revealed the top three reasons for not reporting cyber-attacks are:

• Fear of repercussion (43%)
• Not thinking it was necessary (36%)
• Forgetting to report the incident altogether (32%)

Falsified Compliance

When policies are too complex to understand or follow, employees often engage in "security theatre", appearing to comply while circumventing controls. Common examples include:

• Password complexity requirements lead to predictable patterns (Password123!)
• Excessive approval workflows result in blanket pre-approvals
• Complex training modules completed without engagement or understanding
• Detailed incident reports filled with boilerplate responses

The Normalisation of Security Violation

In complex environments, small violations of security policy become normalised because "everyone does it this way." Over time, these workarounds become accepted practice, creating significant security gaps that remain invisible to leadership. Leading to:

• Compounding of small violations into major vulnerabilities and security events.
• The invisible threats where normalised behaviours evade detection.
• The insider threats where employees unintentionally become risk/threat vectors.
• Compliance gaps, the tick box model, where compliance is an exercise rather than a process to provide trust, organisations may appear compliant but are not secure.

Building Educational Bridges: Guiding People Through the Process

The solution is not to abandon security; rather, it is to redesign it with an understanding of human capabilities and limitations. This requires creating educational bridges and well-structured models that guide people through the learning process instead of expecting them to jump across technical gaps. Additionally, training and its delivery must be evaluated for their effectiveness, as well as how well individuals understand and perform after completing the training.

Layered Communication Strategy

Level 1: Basic Awareness: Simple, action-oriented guidance for all staff:

• Click the browser icon on the left of the search bar to verify you are connected securely
• When in doubt, ask for help

Level 2: Functional Understanding: Context and reasoning for engaged user:

• VPNs create a secure tunnel between your device and company systems
• Two-factor authentication adds a second check to verify your identity
• Regular updates fix security weaknesses that criminals might exploit

Level 3: Technical Detail: Comprehensive information for technical staff:

• Implementation details, configuration options, and troubleshooting guidance
• Security control validation and testing, rule effectiveness checks, and post-incident review procedures

Universal Design Principles and Patterns

Effective security communication follows universal design principles and reusable patterns:

• Clear visual hierarchies help users find information quickly
• Plain language eliminates jargon and technical complexity
• Consistent terminology uses the same words for the same concepts
• Progressive disclosure reveals complexity only when needed
• Multiple formats accommodate different learning styles

Practical Steps Toward Simplicity

• Consolidate and standardise
• Audit your security tool stack and eliminate redundancy
• Standardise interfaces across security tools where possible
• Create unified dashboards that aggregate multiple systems

Simplify Language

• Develop a security glossary with organisation-specific definitions
• Use consistent terminology across all security communications
• Assess communications with non-technical staff before deployment

Design for the Least Technical User

• Create workflows that accommodate basic technical skills
• Provide multiple paths to accomplish security tasks
• Offer escalation routes when complexity is unavoidable

Measure What Matters

• Track usability metrics alongside security metrics
• Monitor workaround behaviours as early warning signs
• Survey user experience regularly and act on feedback

The Path Forward: Security That Works for People

The goal is not to “dumb down” security; it is to make it user-friendly. When we design security systems that work with human nature rather than against it, we create:

• Higher compliance, people are more likely to follow clear procedures
• Faster incident response, reporting becomes simple and non-threatening
• Better security outcomes, controls are used as intended
• Reduced risk, workarounds, and shadow IT have decreased significantly
• Cultural change: security becomes a shared responsibility rather than solely the IT department's burden

Embracing Simplicity as Strength

The goal is not perfect security-it's sustainable security that works with human psychology, not against it.

In cybersecurity, we must resist the temptation to equate complexity with sophistication. The most secure organisations are not those with the most tools or the most detailed policies, but the ones where security is simple enough for everyone to do their part.

The role of security professionals is not to demonstrate how much we know through complex implementations. Our job is to protect the organisation by creating security systems that work in the real world, with real people, under real constraints.

The next time you are designing a security control, ask yourself: "Would my non-technical colleague understand this?" If the answer is no, you have not finished the job. Because in cybersecurity, if it is too complex for humans to use correctly, it is too complex to work.

Remember: The best security control is the one that is used correctly by everyone who needs it. Everything else is just expensive complexity masquerading as protection.

How Liverton Security can help:

Liverton Security has two ways in which we can help organisations with their security journey.

Our Consulting team can help with:

• Technical processes such as penetration (PEN) testing
• Security maturity assessments that help your organisation identify your security risks from the physical to the technical and virtual.
• Compliance reviews to support certification and accreditation of services that your organisation provides or consumes.

Liverton Security further supports organisational security with a suite of tools that will help simplify the way your organisation supports its users.

The tools that Liverton Security can provide simplify:

• How email protects your internal confidential documents
• Identifies phishing and other email threats with these tools
• SHIFT is an Outlook application designed for simple and secure file transfers through integrated email client functionality.

This all goes a long way to simplifying your security.

About Liverton Security

Digital technology has greatly expanded opportunities for businesses, but has also introduced complex security threats that organisations cannot ignore. Protecting people, critical data, and entire organisations requires proactive and continuous security strategies.

As an influential and respected leader in global cybersecurity, Liverton Security specialises in helping businesses and government organisations neutralise evolving cyber threats in the digital age.