Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

It's us, not them: Exploring the weakest links in security

Jessy Irwin (Jessysaurusrex)
1:15pm–1:55pm Wednesday, November 1, 2017
Security usability
Location: Sutton North
Average rating: *****
(5.00, 2 ratings)

Who is this presentation for?

  • Security program and product managers and those working in security awareness and engagement

Prerequisite knowledge

  • A basic understanding of common security practices (useful but not required)

What you'll learn

  • Understand why you should examine common security concepts, policies, and tasks from the point of view of nontechnical and nonexpert audiences
  • Explore an ever-expanding body of research about how experts and nonexperts think about security and interdisciplinary solutions to security challenges


It is the biggest cop-out in information security: when a major security incident hits the news, security practitioners are quick to place the blame on users and shout from the rooftops that it is the humans who are the weakest link in security. Focused on building and maintaining highly sophisticated technical systems, however, many security teams make the mistake of approaching human problems with highly technical solutions. By ignoring much of the research, data, and information we have about how people interact with machines, technologists miss the opportunity to design for (or around) expected human behaviors. As a result, many technologies ignore the needs, knowledge, and experience of the average person and set them up for failure through counterintuitive design and externalized risk when they do face security-critical tasks.

Jessy Irwin debunks the myth that users are the root of all failure and explores how security teams can transform their thinking to even the playing field for nonexpert, nontechnical humans and introduces actionable strategies to transform people into an extra line of defense when we need them the most.

Photo of Jessy Irwin

Jessy Irwin


Jessy Irwin is a security expert who excels in translating complex cybersecurity issues into simple, relatable terms for nontechnical audiences. Her current areas of interest include making security more accessible for the average person, advocating for strong privacy protections in education for students, building better models for digital security training, and building proactive security communications strategies for consumers, policymakers, small businesses, and Fortune500 companies. In her work as an consultant, security executive, and former security empress at 1Password, she has taught consumers how to better protect themselves, their data, and their identities online. Jessy regularly writes and presents internationally on human-centric security, student privacy, and security communication at events including O’Reilly Security, RSA Conference, TechSummit Amsterdam, Infosec Southwest, and ShmooCon. Her work has appeared in CSO Online, VICE Broadly, Mashable, BuzzFeed, TechCrunch, and CNN.