Stop making excuses and go deeper

Beautiful renegades, mavericks, and deviants,

You can go deeper. Much deeper.

Have you noticed that the human aspect of cybersecurity is the one area where everyone has an opinion—even though most don’t know enough to be considered an expert? And why the f*ck does everyone think they can do your job?

Most of what people say about “changing behaviour” is wrong, unhelpful, and sometimes counterproductive. But they say it anyway. Why? Because it feels right and it’s what they know - even though there is little evidence to back it up, and often lots of evidence to the contrary. They don’t know because they are winging it and they aren’t keeping up with the evolution in our space.

The good news? This is changing fast. The field is professionalising. We’re moving from “good comms and interesting training” to measurable behavioural outcomes and the management of human cyber risk thinking of people as part of a complete system. Our space is growing up.

So, if you want to stop being just another voice in awareness and instead become the human risk professional your organisation can’t ignore, here’s what to do:

Step 1: Deepen your knowledge.
Step 2: Influence smarter decisions.
Step 3: Command respect.

Here’s your curated set of must-reads to fuel that journey:

Human Factors in Cybersecurity – Nikki Robinson & Calvin Nobles
Blends cybersecurity operations with human factors science, showing how to design systems that work with people, not against them.
Human-Centered Security – Mary Ellen Zurko
Reframes security failures as design failures, embedding human factors into secure system design.
You Can Stop Stupid – Ira Winkler & Dr Tracy Celaya Brown
A safety-inspired framework for preventing avoidable human-driven losses.
Security Culture – Hilary Walton
How to build and measure genuine security culture—from executive buy-in to metrics that matter.
People-Centric Security – Lance Hayden
A practical toolkit for designing scalable, human-centred programs.
Security Awareness Program Builder – Mark Majewski
Step-by-step TRAM model (Train, Reinforce, Assess, Manage) for programs that stick.
Building a Cybersecurity Culture – Andy Wood
Psychology-backed strategies to embed security-first thinking.
Security Awareness For Dummies – Ira Winkler
A no-fluff foundation for awareness programs that actually engage.
The Security Culture Playbook – Perry Carpenter & Kai Roer
Executive-ready strategies for measurable culture change.
Transformational Security Awareness – Perry Carpenter
Neuroscience, marketing and storytelling applied to security behaviour.
The Psychology of Information Security – Leron Zinatullin
Insight into how people think, decide and behave around security.
Social Engineering: The Science of Human Hacking – Christopher Hadnagy
A deep dive into the manipulation techniques attackers use.

👉 Find even more must-reads—including behavioural economics, psychology, and leadership—on the full CybSafe book list here.

These authors don’t all agree. Some are more progressive than others. But every single one offers gems you can use to sharpen your craft.

____________________________________________________________

Why this matters right now
Checkbox-focused awareness doesn’t work. Training ≠ behaviour change. You stand out when you combine science, strategy, data analysis and storytelling to reduce human risk where it counts.

Quick wins to position yourself as the human risk professional

Pick one book and share one practical takeaway with leadership this week.
Add a behaviour-focused metric to your next report.
Run a 15-minute workshop on one human factor or mind hack.

Every page you read builds your credibility, your influence and your authority. This is how you become the go-to voice for human risk in your organisation.

Your mission this week: pick one title, dive in, and make it visible.

If you ever want to talk, or if I can help, let me know—book some time with me.

You’ve got this.

— Oz A