Information Security: A Cultural Circus with a Tragic Finale

If cybersecurity has anything in common with seatbelts, motorcycle helmets, and the Mediterranean diet, it’s this: everyone knows they’re essential, but hardly anyone bothers to use them. Why? The answer is as obvious as it is depressing: culture. Or, more specifically, the complete lack thereof.

Cybersecurity—digital or otherwise—is, above all, a cultural issue. It’s not about technology, regulations, or ISO standards with titles longer than a queue for Wimbledon. Sure, those things help, but without a solid cultural foundation, they’re little more than decorative knick-knacks, like your grandma’s lace doilies on the telly. What’s needed is a population that can think critically, discuss sources intelligently, and—miracle of miracles—take responsibility for their actions. Until that happens, we might as well kiss progress goodbye.

Security Is Inconvenient—and That’s Why People Avoid It

Let’s not beat around the bush: security is a nuisance. It’s like those seatbelts in the 1960s, which people swore were medieval torture devices, or those motorcycle helmets in the 1980s, which supposedly existed solely to ruin hairstyles. Cybersecurity is even worse because, unlike a seatbelt, you can’t see it. Risks are invisible until disaster strikes—and by then, it’s too late. Congratulations, you’ve just handed your bank account details to a very clever Nigerian scammer.

The underlying problem? Security is inconvenient because it forces us to think. And thinking, as everyone knows, is hard work. As the ever-wise Edgar Morin said, “Education must foster mutual understanding among humanity.” Translated into everyday terms: stop acting like muppets and learn something. But for many, terms like phishing, ransomware, or multi-factor authentication sound less like helpful advice and more like a tech wizard casting spells.

Critical Thinking: The Web’s Worst Nightmare

Ah, critical thinking—that elusive concept everyone praises but rarely practices. Cybersecurity depends on it, first and foremost. And critical thinking begins with a simple truth that should be tattooed on the forehead of every digital user: not everything online is true.

It’s a straightforward principle, but one that feels revolutionary. It means that internet news isn’t credible just because it’s drenched in likes, that images can be manipulated, and that no, a Nigerian prince doesn’t actually need your IBAN to unlock a multi-billion-dollar inheritance. Try explaining that to someone who shares fake news as enthusiastically as they do photos of kittens.

The confusion deepens with tools like fact-checking and community notes. Fact-checking is a scientific, precise weapon wielded by experts who cross-reference content with reliable sources. Community notes, on the other hand, hand the reins over to the crowd—that wonderfully diverse group that sometimes struggles to distinguish between a legitimate article and a meme of a cowboy cat. Both have their uses, but while fact-checking strives for accuracy, community notes often reflect the biases and whims of the collective. It’s a precarious dance between truth and perception, where critical thinking should take center stage but often ends up as a bewildered spectator.

The reality is that teaching this concept feels akin to convincing a cat not to climb the Christmas tree: challenging, infuriating, and not without its casualties. Yet, just as some cats eventually learn (after toppling enough ornaments), so too can we hope for progress in fostering a more discerning digital public.

Automotive and Safety: A Modern-Day Fable

When it comes to cultural resistance, the automotive industry is a masterclass in lessons. In the 1950s and 60s, the introduction of seatbelts faced a veritable brick wall of opposition. Manufacturers and consumers alike decried them as uncomfortable, unnecessary, and—believe it or not—dangerous. Yes, you read that correctly: some argued that seatbelts would trap occupants in burning vehicles, completely overlooking the unpleasant reality of being flung through the windshield at 90 km/h.

Motorcycle helmets suffered the same fate in the 1970s and 80s, with objections ranging from “they ruin my hair” to “they limit my personal freedom.” The narrative was that of the romantic rebel, risking their head in the name of defiance, unwilling to bow to the perceived tyranny of safety.

And yet, something shifted. By the 1980s and 90s, public acceptance of seatbelts and helmets began to rise. This change wasn’t solely the result of stricter laws; it was a cultural transformation. Advertisements stopped glorifying reckless independence and instead championed the value of safety and protection. Campaigns showed children buckled up, families saved by airbags, and the devastating consequences of not using these devices.

The data added undeniable weight: fatal accidents plummeted in vehicles equipped with these safety measures. Slowly but surely, the public began to see tangible benefits. What was once viewed as a nuisance became a non-negotiable standard. Today, seatbelts, helmets, and even advanced braking systems are no longer considered optional but are instead seen as essential. If someone buys a car without airbags, they’re either living in the past or dangerously uninformed.

Now, let’s compare this to cybersecurity. The gap is as wide as a motorway. Not only does the general public treat cybersecurity as a chore, but even so-called experts often display a patchy, distorted understanding of it. Politicians and influencers add fuel to the fire with opinions masquerading as facts and solutions that feel like they belong in an episode of Black Mirror.

The key difference is this: the automotive industry built a cultural shift before enforcing regulations. Cybersecurity, on the other hand, remains a chaotic free-for-all where laws only materialise in the aftermath of disasters. The lessons from the automotive world show us that before we can impose rules, we need a society that understands why they matter. Until then, cybersecurity will remain an afterthought in a world that increasingly depends on it.

Numbers and Probability: A Foretold Disaster

Now, let’s dive into another sore point: statistics. Those delightful tables and graphs that no one reads, yet everyone interprets however they like. In the West, headlines scream about Chinese cybercriminals taking over the world. Meanwhile, in China, the narrative downplays vulnerabilities and points an accusatory finger at the West. And in between? Absolute chaos.

The issue isn’t just manipulation; it’s how easily people misinterpret or distort data. Cognitive limitations play a critical role here: the human brain is not designed to process large, abstract numbers. When we hear that “millions of cyberattacks occur daily,” our minds tend to shut down, unable to assign tangible meaning to such an enormous figure.

As Daniel Kahneman highlighted, the way we present numbers can drastically alter how risks are perceived. For example, saying there’s a 5% chance of being hacked feels less threatening than saying, “1 in 20 users will be hacked.” Both statements convey the same probability, but the latter evokes a much stronger emotional reaction.

On top of cognitive challenges, cultural factors exacerbate the problem. In many countries, there’s a tendency to ignore risks until they erupt into full-blown crises. This attitude isn’t limited to governments—it’s evident in companies too, which often prioritise marketing and PR over investing in robust security infrastructure. It’s not just ignorance; it’s a culture that favours style over substance.

Then there’s the sensationalism. Fake news and distorted statistics travel faster than light, propelled by catchy headlines and a generous dose of fearmongering. Meanwhile, genuine threats—those that lack clickbait-worthy drama—are overlooked. As Hannah Arendt once said, “The result of replacing facts with opinions is that opinions become facts.”

This creates a perilous environment where the real risks—those quiet, unassuming dangers—are neglected, leaving the door wide open to significant yet underestimated threats.

Changing this dynamic requires far more than regulations and guidelines. It demands an integrated approach that combines effective communication, widespread education, and a dedicated effort to combat misinformation. Only by addressing these interconnected challenges can we hope to overcome the cognitive and cultural barriers that continue to hinder progress in cybersecurity.

The Brain: That Lazy, Cheeky Rascal

Let’s not mince words: neurobiological and psychological challenges make us instinctively incapable of managing cybersecurity effectively. It’s a toxic cocktail of cognitive biases and evolutionary wiring that prioritises the immediate over the abstract. Neuroscience and psychology have repeatedly shown that our brains are simply not built to handle probabilistic risks or future threats. They’d rather focus on immediate, tangible dangers—like a lion chasing us—than on the distant menace of a phishing email lurking in our inbox.

Take optimism bias, for instance. It convinces us that bad things only happen to other people, never to ourselves. Tali Sharot, a cognitive neuroscientist, explains how the human brain underestimates personal risks, leading us to ignore essential precautions. It’s the classic, “Why would anyone hack me? I’m a nobody!” sentiment. And while someone thinks this, ransomware could already be encrypting their wedding photos.

Then there’s our aversion to big numbers. Daniel Kahneman, Nobel laureate in economics, has extensively explored how people are catastrophically bad at comprehending probabilities. We overestimate rare but sensational risks (like a terrorist attack) and underestimate common yet devastating ones (like a phishing scam). If a risk doesn’t come with dramatic music and a Hollywood-style explosion, the brain simply files it under “unimportant.”

And let’s not forget our resistance to change—a pervasive plague. Breaking habits, learning new skills, or simply ditching “password123” for something more secure demands mental effort, and let’s be honest, our brains hate effort. Carol Dweck, known for her research on the growth mindset, highlights how many people freeze at the prospect of evolving, clinging to their comfort zones like a toddler to their favourite toy.

Lastly, there’s temporal discounting, a phenomenon described by George Ainslie. We naturally prioritise immediate rewards over future benefits. Translation: “Why worry about a cyberattack that might never happen when I could just watch Netflix instead?” This same logic explains why people ignore those annoying software update notifications for weeks on end.

These obstacles are not easily overcome. Shifting deeply ingrained behaviours demands a scientific, systematic, and conscious approach. We can’t just tell people what to do; we must understand how their brains work and design interventions that align with their psychological tendencies.

This means starting from a young age, when habits and thought patterns are still malleable. Educating children on critical thinking and digital awareness isn’t just an option; it’s a necessity. It’s the only way to build a generation equipped to face the digital world’s risks with intelligence and responsibility.

Let’s be clear: this isn’t about instilling fear but about fostering understanding. With a careful blend of education, behavioural insight, and practical guidance, we can nudge even the laziest brain toward a more secure digital future.

A Future That Demands a Cultural Revolution

Here’s the harsh truth: we won’t save ourselves with a few extra regulations or the latest miraculous technology. Cybersecurity, like every major transformation, requires a cultural revolution. This means comprehensive education, starting in schools and extending to boardrooms. People must learn that cybersecurity isn’t a cost—it’s an investment. Thinking before clicking isn’t paranoia—it’s common sense.

Most importantly, a shift in mindset is essential. We must stop expecting others to take care of our security. As Zygmunt Bauman wisely observed, “Security is the most universal and, at the same time, the hardest to achieve of human needs.” The challenge isn’t just technological—it’s human. Until we face it with the same determination that made seatbelts mandatory, we’ll continue circling this cultural circus.

The question remains: are we ready to take the leap? Or will we watch as disaster repeats itself, hoping it happens to someone else this time? Only time will tell.

🔍 Who Are the Minds Behind the Quotes? 🔍

In my latest article on cybersecurity, I referenced some intellectual giants—and, modestly, myself. But who are these people? Here’s a quick introduction:

🧠 Edgar Morin A French philosopher and sociologist, known for his pensée complexe (complex thought). Morin challenges us to overcome fragmented thinking and tackle global issues with a broader, interconnected perspective. Exactly what cybersecurity needs!

📊 Daniel Kahneman Nobel Prize winner in Economics and author of Thinking, Fast and Slow. Kahneman explored how the human mind perceives risk (often poorly) and why we tend to make irrational decisions. A brilliant manual for understanding why we click on all the wrong links.

📝 Hannah Arendt One of the 20th century’s most brilliant minds, philosopher and political theorist. Her analysis of how opinions transform into “facts” is more relevant than ever in the age of fake news and memes that turn into policy.

💡 Zygmunt Bauman A Polish sociologist best known for his concept of “liquid modernity.” Bauman tackled the theme of security as a universal but elusive need, making his insights perfect for understanding the chaos of digital safety.

✍️ The Author: me, your sarcastic narrator. An ironic, critical observer with a passion for cybersecurity and anything that challenges common sense. I tell it like it is, with a touch of sarcasm, because someone has to. 😉