Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Speak security and enter: Making security make sense for nontechnical users

Jessy Irwin (Mercury Public Affairs)
16:45–17:25 Thursday, 10 November, 2016
Bridging business and security
Location: G106/107 Level: Non-technical
Average rating: ****.
(4.33, 3 ratings)

Prerequisite knowledge

  • A basic understanding of security principles as well as the need for security practitioners to build bridges within their respective organizations

What you'll learn

  • Learn real-world, actionable strategies for positive, proactive security education that will help build bridges with nontechnical colleagues and stakeholders


As an industry, no matter how many defensive tools and tactics we use, attackers can still pwn our networks and organizations by tricking nontechnical people into committing simple security errors. To truly turn people into another line of defense, we need to adopt another mindset and a new set of tactics to help us all bring more people onto Team Security. The best security education entertains and approaches people on their own ground and doesn’t feel like work or a struggle with a completely foreign language.

More often than not, security practitioners tend to speak in highly specialized technical terms, which puts users at a complete and utter disadvantage. Part of working toward better security outcomes with a nontechnical crowd requires shunning industry jargon and metaphors (military terms, locks, safes, etc.) for more universal, approachable examples that don’t have an element of fear or threats behind them. It’s much simpler to convey the planning, forethought, and the proactive mindset required for security through nonthreatening, approachable metaphors than one might think, and this approach is more effective when building positive and empowering elements in education rather than focusing on problems, failure, and holes. Too much security advice out there is contradictory, and too many practitioners are quick to dismiss the few tools that end users can adopt to improve their security. This is particularly disempowering for nontechnical audiences because without the skills or knowledge to evaluate the information in front of them, they have no way to figure out what to trust or what advice to follow.

Fixing our education and awareness issues requires a diverse set of tactics. There’s no technological tool that can fix this problem: changing behavior requires investments in security education and a mindset focused on going beyond trying to use technology to solve our “security problem.” Jessy Irwin offers a crash-course in people, communication, and security education for anyone and everyone who wants to protect and convert nontechnical users into a helpful, engaged line of defense. If we tweak our attitudes, approaches, and terminology to be more people-centric, we can change the way we talk about security all together, leading to improvements in the big picture.

Photo of Jessy Irwin

Jessy Irwin

Mercury Public Affairs

Jessy Irwin focuses on security awareness and end-user education for nontechnical audiences. Based in San Francisco, she is a prolific writer and outspoken advocate for stronger privacy and security protections for people everywhere.