When Brian Honan, CEO of BH Consulting, spoke at a recent cybersecurity awareness event for financial planners and tax advisors, he expected a standard conference experience: engaged audience, thoughtful questions, and perhaps a few follow-up conversations. What he did not anticipate was the recurring feedback that many attendees had been genuinely scared by what they heard.
In the days following the event, Honan found himself replaying that word — “scared” — like a persistent earworm. His immediate reaction was self-doubt: had he failed to raise awareness about security threats and risks? More importantly, it made him question whether the cybersecurity industry sometimes makes things harder than necessary by describing risks in ways that sound frightening, technical, or overwhelming to people who simply want to understand practical steps to protect themselves and their businesses.
The problem with how we talk about threats
As anyone who has seen Honan speak knows, he is not one for dramatic declarations of impending doom or irresponsible hype. He does not believe in selling security through fear, uncertainty, and doubt (FUD). Instead, he has always viewed his role as raising awareness of information security as an important business issue.
But after this event, he began to wonder whether his natural tendency to approach security threats simply as risks to be managed might be inadvertently frightening those outside the cybersecurity bubble. When you work with data breaches, CEO fraud, and ransomware day in and day out, these concepts become normalized. To non-experts, they can sound like apocalyptic scenarios.
The conversation with one of the event organizers — a financial planner — drove the point home. The organizer asked Honan if he had appropriate insurance and pension protection for himself and his business. Honan had assumed he had most boxes ticked, yet the conversation sparked a flicker of anxiety: maybe he was missing something crucial. The organizer’s intention was not to scare him; he was simply applying his domain knowledge. Yet Honan, as a non-expert in financial matters, reacted with unease.
What it feels like to be the non-expert in the room
This experience illuminated a critical insight: every professional is an expert in their own field, and venturing into areas outside that expertise naturally provokes varying degrees of worry. For those uninitiated in technology, terms like “advanced persistent threats,” “phishing campaigns,” and “compromised credentials” can sound like dialogue from a spy novel. In reality, these terms often refer to criminals, scams, and fraud — tactics designed to trick people into handing over money or information.
The cybersecurity industry has long been criticized for using jargon that alienates its audience. The problem is not limited to technical terms; it also includes the tone of urgency that many security vendors adopt. When people feel overwhelmed by warnings about cybercrime, they often react in one of two ways: they dismiss the advice because it feels overly complicated or alarmist, or they become so worried about making a mistake that they avoid using technology altogether. Neither response is productive.
Honan’s reflection echoes a broader conversation within the security community. For years, researchers have argued that fear-based messaging can actually reduce protective behaviors. A 2023 study published in the Journal of Cybersecurity found that individuals who received fear-focused security messages were less likely to adopt recommended safeguards than those who received practical, empowering guidance.
The goal is confidence, not expertise
From a security perspective, Honan’s financial planner experience serves as a valuable reminder: what professionals perceive as normal can be frightening to outsiders. The onus is on security experts to think carefully about how they deliver messages — to educate, not intimidate.
The truth is, many business leaders rely on the expertise of professionals in fields like law, finance, and public relations. Those professionals use unfamiliar terminology, but it is not necessary to become an expert in those domains. Instead, the goal is to be sufficiently well-informed to ask the right questions of those providing the expertise.
Similarly, cybersecurity should not be about frightening people with stories of hackers, breaches, and worst-case scenarios. It should be about helping people understand practical steps they can take to reduce risk. This includes recognizing common scams, asking good questions of IT support, making informed decisions about security tools, and feeling confident using technology in daily business operations.
One approach that has gained traction is the use of plain-language analogies. For example, explaining multi-factor authentication as a second lock on a door — simple, effective, and non-intimidating. Another is focusing on specific, actionable advice: “Never click on links in unsolicited emails asking for your password” rather than “Beware of advanced phishing campaigns.”
Honan’s key takeaway is that if people leave a security presentation feeling empowered rather than frightened, the communicator has done their job properly. The challenge for the industry is to move away from a culture of fear and toward a culture of enablement.
This lesson, ironically, came from a financial planner — a professional whose own domain often involves complex products and legal language. Yet that planner knew how to ask questions that sparked reflection without causing panic. It is a model that cybersecurity professionals would do well to emulate.
As organizations continue to face increasingly sophisticated threats — from ransomware to business email compromise to supply chain attacks — the human element remains both the weakest link and the strongest defense. Equipping people with confidence, not fear, is the most sustainable path to better security posture. The industry must retire FUD and replace it with education.
Source: Help Net Security News