There’s something most of us do without quite realizing it. And I’m here today to shine a (somewhat uncomfortable) light on it. So, let’s strap in, shall we? :-)
When a goal feels important but uncertain, and the right answer is genuinely hard to find, we often make a quiet, barely conscious choice. We pick something smaller, something we know we can hit. We tell ourselves it's the pragmatic, realistic decision, and then we get on with it. We don't look too closely at whether it was really the right choice at all.
Herbert Simon called it satisficing (a portmanteau of satisfy and suffice). When the right answer is hard to find, it essentially means finding an answer we're confident in and calling it good enough. And sometimes, that genuinely is the right call, smart business even. But there's a version of satisficing where you know (quietly, privately) that you're not just being pragmatic, you're being safe. You chose the comfortable goal over the best one, and you avoid examining the gap because the truth would be uncomfortable.
So, what keeps people there? What are the actual forces that make settling feel like the sensible choice?
1. The right goal is genuinely hard to name
Think about anyone trying to make a meaningful change. As in, in their life, their health, their relationships, or their career. The honest, precise version of what they're trying to achieve is often incredibly difficult to articulate. After all, what exactly does a better relationship look like? How would you measure it? What specific behavior are you trying to shift, in whom, by how much?
These are hard questions. And you can do the work of figuring them out and still not arrive at a clean answer, which feels like a lot of effort for an uncertain return. So people settle for what's easy to measure rather than what actually matters. They track the proxy rather than the thing itself, and then tell themselves it's pragmatism.
Psychologists call the underlying mechanism motivated reasoning: i.e. working backward from a conclusion you want to reach, then building justifications around it.
The conclusion: I don't have to do the hard thing. The justification: the hard thing probably isn't possible anyway.
But let's call bullsh*t on this (and here's what distinguishes motivated reasoning from genuine pragmatism): you haven’t actually tested whether the hard thing is possible, you just decided it probably isn't because that’s easier and more convenient for you right now.
Awkward, isn’t it? The truth hurts.
2. Nobody is telling you to do anything different
When you settle, the feedback is usually positive. Your boss is satisfied, your peers respect you, and you’re operating comfortably within expectations. There’s something deeply human about not wanting to disturb that peace. And it’s actually very understandable.
But this (or rather a version of this) is what psychologists refer to as ‘self-handicapping’. Which is where you unconsciously protect your self-image by never fully committing to stretching any goals. And yes, it stands to reason that if you never aim higher, you can never be seen to have failed, or even fallen short. Which makes the comfort zone oh-so tolerable, nay, genuinely pleasant. So, it makes total sense from a comfort POV* that disrupting it feels unnecessary …especially for uncertain gain.
*Point of view, for all you non-Gen-Zers out there. And no, I’m not one either, I just pick these things up through a (wholly unintentional) process of osmosis. Call it ‘getting with the program’, if you will. Or an attempt in that direction, at least.
3. Going further means putting your head above the parapet
Genuinely committing to a harder goal often means challenging the assumptions of the people around you. It means saying implicitly (or explicitly) that the current approach isn't good enough, that more is possible, and that the accepted way of doing things deserves to be questioned.
That's a fight you haven't been asked to pick. It all but guarantees an uphill struggle against people who were perfectly comfortable before you showed up. (And it goes without saying that this isn’t always popular). Which is why it’s a conflict that’s incredibly easy to talk yourself out of, either consciously or subconsciously.
4. Timing. The timing is never right
There's always a lot on (ok, let’s call a spade a spade: too much. There’s always too much on). And this particular question feels like a Pandora's box. Open it, and who knows how time-consuming it’s going to become, how much it will complicate things, and how much additional work it will create?
“Not now, maybe later, maybe when things have settled down, when there's more space.” Newsflash: there will be no ‘later’. Things will not settle down, and no additional space will miraculously appear before you, bathed in golden light, smiling sweetly and humming softly. It ain’t happening.
Behavioral economists call this the Ostrich Problem. In short, it’s the tendency to avoid information or questions that might demand something of us. We bury our heads (here’s where the ostrich bit comes in, in case that wasn’t abundantly clear). Not out of laziness, so much as out of a reasonable-feeling instinct for self-preservation. The box stays closed, and later never quiiiite arrives.
The hardened truth: epistemic cowardice
And here’s perhaps the most important thing about all of this: most of it isn't fully conscious. These aren't decisions people sit down and make deliberately. We don't wake up and think: "I'm going to settle for less than I'm capable of today." We drift into it through a series of small, semi-conscious choices that each feel reasonable in the moment.
The rationalization happens quietly in the background, assembling itself into a coherent story about pragmatism and timing and working with what we have. Yes, we are making the right decision, no, we’re not just settling for ‘less-than’. Sure, sure.
Philosophers call the hardened version of this epistemic cowardice: the deliberate (if unexamined) choice of comfortable vagueness over demanding clarity. It’s not a dramatic act of avoidance, so much as a slow, quiet drifting away from the harder thing. Peaceful, serene, and yes… comfortable. Like a well-worn sweater, a much-loved dog, or the smell of baked goods hanging in the air.
But there’s a real cost to all this.
When we settle, we choose the comfortable goal over the right one. Which means we don't just limit our progress; we actually limit (or even kill) our ability to learn. Because we can only learn from honest measurement of the right thing. Comfortable metrics give you comfortable feedback. They tell you what you want to hear, not what you need to know. The settling compounds, and each cycle of comfortable goals and comfortable feedback, makes the harder question feel a little more distant, a little less necessary, and just a little bit easier to defer.
The (occasionally harsh) reality of the security industry
This deeply human pattern is easily recognizable across many areas of our lives (whether we like to admit it or not).
And, to compound this, there are professional contexts (such as our own, in particular …alas) where this plays out with devastating clarity, and (usually unenjoyable) consequences that extend far beyond the person doing it.
In our world, i.e. the space where we’re responsible for changing how others behave more securely around technology, security awareness and human risk practitioners face one of the hardest jobs in corporate life.
Because you're trying to shift how thousands of people make real decisions around risk every day, without coercion, in complex organizations that have (many) other priorities. The causal chains are long, the variables are endless, and there’s no guaranteed playbook. Oh, and lest we forget the addition of the fact that your leadership is rarely equipped to scrutinize your work that deeply. (Joy.) Which means the conditions for quiet, comfortable satisficing are jusssst about perfect.
If you ask practitioners what they’re trying to achieve, they’ll give you the safe list:
Improve training completion rates
Improve phishing simulation metrics
Raise training attendance figures
Drive up user engagement
All of that is measurable and reportable. It's easy to put on a dashboard, and it makes it look like the program is working. But if we’re honest with ourselves, we know that whether someone completes a module or engages more with security tells us almost nothing about whether the behavior actually changed.
A low phishing click rate on a Tuesday simulation doesn't reliably predict what someone will do when a sophisticated, real-world attack hits their inbox on a chaotic Thursday afternoon.
Awareness and behavior are not the same thing. They never have been.
The harder question (the right question) is: what behavior are we actually trying to change in people, and how will we know if it's shifted? And that question is genuinely difficult, not to mention uncomfortable (goodbye comfy sweater and smell of baked goods, hello overactive air-con and chairs that ever-so-slightly make your back ache).
Because it requires thinking carefully about which behaviors actually drive risk. It calls for a belief that behaviors are observable and measurable. And beyond that, it demands a willingness to acknowledge that your current program might not be moving the needle on what actually matters. And when nobody above you is demanding that clarity, it’s incredibly easy not to question it yourself, and instead retreat to the safety of the comfortable metrics (the ever-present lure of comfy sweaters and baked goods).
Many tell themselves they're being pragmatic. But they haven't even tried to answer the harder question. They’ve just decided it’s unanswerable …because that’s easier than finding out it isn't. The goal they've set isn't wrong, per se; it's just not right. And somewhere, quietly, in the busy, preoccupied confines of their mind, they do know this.
That's what many refer to as the clarity tax. It's not the absence of goals; it's the presence of the wrong goals, chosen carefully, dressed up as accountability, and left entirely unchallenged, because the cost of challenging them falls entirely on the person who would have to do it. (In case it’s not clear, this person is you.)
It’s time to answer the question we’ve all been avoiding
Here’s what we need to admit: the harder question is answerable. Not perfectly, sure, but well enough to be far more useful than the comfortable alternative. Well enough to change things for the better.
We know which behaviors actually increase the likelihood of a security incident. We know how to measure whether those behaviors are shifting. We know how to design interventions that move real (human) decisions rather than just reported awareness.
We also know how to control for confounders, so you can be confident that the actions you take are actually responsible for the improvement of specific security behaviors. The tools exist. The science exists.
What's missing is the willingness to name the real thing, not just the safe thing. Which requires setting a goal that's harder than you're confident you can hit, to find out honestly whether you've moved the needle, and having the integrity to learn from it when you miss. Which you might. And you need to be ok with that.
That takes a kind of courage that doesn't get talked about enough. Not the courage to respond to a breach, or defend a budget, or argue that “people aren't the weakest link”. It takes courage to stop satisficing. To do the hard work of figuring out what you're actually trying to achieve and then going after it honestly.
The fog might feel like safety, but it costs everyone, including (eventually) yourself. It's time to step out of the haze, drop the defensive metrics, and do the hard, necessary work of proving you've changed the behaviors that are likely to stop real attacks on a chaotic Thursday afternoon. And if that sounds like fighting talk, it’s because it is. We ride at dawn.
Oz A
To map out what real risk reduction looks like for your team, and see how we can move your program from simple awareness to proven behavior change, book in time with me and we’ll talk it through.
Oz Alashe
CEO and Founder, CybSafe
What did you think of today's email?
Your feedback helps me create better emails for you!