Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Speak security and enter: Making security make sense for nontechnical users

Jessy Irwin (Jessysaurusrex)
16:45–17:25 Thursday, 10 November, 2016
Bridging business and security
Location: G106/107 Level: Non-technical
Average rating: ****.
(4.33, 3 ratings)

Prerequisite knowledge

  • A basic understanding of security principles as well as the need for security practitioners to build bridges within their respective organizations

What you'll learn

  • Learn real-world, actionable strategies for positive, proactive security education that will help build bridges with nontechnical colleagues and stakeholders


As an industry, no matter how many defensive tools and tactics we use, attackers can still pwn our networks and organizations by tricking nontechnical people into committing simple security errors. To truly turn people into another line of defense, we need to adopt another mindset and a new set of tactics to help us all bring more people onto Team Security. The best security education entertains and approaches people on their own ground and doesn’t feel like work or a struggle with a completely foreign language.

More often than not, security practitioners tend to speak in highly specialized technical terms, which puts users at a complete and utter disadvantage. Part of working toward better security outcomes with a nontechnical crowd requires shunning industry jargon and metaphors (military terms, locks, safes, etc.) for more universal, approachable examples that don’t have an element of fear or threats behind them. It’s much simpler to convey the planning, forethought, and the proactive mindset required for security through nonthreatening, approachable metaphors than one might think, and this approach is more effective when building positive and empowering elements in education rather than focusing on problems, failure, and holes. Too much security advice out there is contradictory, and too many practitioners are quick to dismiss the few tools that end users can adopt to improve their security. This is particularly disempowering for nontechnical audiences because without the skills or knowledge to evaluate the information in front of them, they have no way to figure out what to trust or what advice to follow.

Fixing our education and awareness issues requires a diverse set of tactics. There’s no technological tool that can fix this problem: changing behavior requires investments in security education and a mindset focused on going beyond trying to use technology to solve our “security problem.” Jessy Irwin offers a crash-course in people, communication, and security education for anyone and everyone who wants to protect and convert nontechnical users into a helpful, engaged line of defense. If we tweak our attitudes, approaches, and terminology to be more people-centric, we can change the way we talk about security all together, leading to improvements in the big picture.

Photo of Jessy Irwin

Jessy Irwin


Jessy Irwin is a security expert who excels in translating complex cybersecurity issues into simple, relatable terms for nontechnical audiences. Her current areas of interest include making security more accessible for the average person, advocating for strong privacy protections in education for students, building better models for digital security training, and building proactive security communications strategies for consumers, policymakers, small businesses, and Fortune500 companies. In her work as an consultant, security executive, and former security empress at 1Password, she has taught consumers how to better protect themselves, their data, and their identities online. Jessy regularly writes and presents internationally on human-centric security, student privacy, and security communication at events including O’Reilly Security, RSA Conference, TechSummit Amsterdam, Infosec Southwest, and ShmooCon. Her work has appeared in CSO Online, VICE Broadly, Mashable, BuzzFeed, TechCrunch, and CNN.