Mortality and all that…
It was my birthday recently – a major one! Thank you. That’s kind. Being a dutiful Dad, as my tachograph creeps inexorably towards the ‘mandatory end of journey’ marker, I’ve been spending a lot of time and pulling out a few more grey hairs, trying to make sure that my children and grandchildren don’t have too much of a headache sorting out my affairs when… well, you know. So I’ve had one or two opportunities to contemplate the nature of mortality, prior to being accidentally caught up in a fire at a heavily-insured warehouse (10pm, a week on Thursday).
In 1969, Elisabeth Kubler-Ross wrote a book about the emotions people tend to experience when coming to terms with the news that they’re dying. Those findings were simplified into what is now a widely-known model setting out five supposedly consecutive stages (denial, anger, bargaining, depression and finally acceptance). The model has also come to be applied to grief i.e. the stages that people go through following a bereavement. And indeed, it’s been applied to people experiencing loss generally rather than specifically the loss of a loved one. As pointed out by the author, but frequently ignored, the five stages aren’t necessarily sequential, and not everyone goes through all the stages. Nonetheless, it’s proved to be a useful framework. Also, Geoff E gave an absolutely brilliant presentation a few years ago, using the model to illustrate how people come to terms with change in cyber. So I’ve nicked it. Come on, what’s he going to do – sue me?
Credit: Canstockphoto
Denial
I went to a cyber conference oriented around SME security a couple of years ago. The star speaker spoke about the average cost of a breach (quoting from the DCMS security breaches survey), saying it was so high, some companies might not survive the shock. The speaker had first hand experience of dealing with incidents, and was credible (I thought) in their argument. Afterwards, the academic organising the conference asked how I had found it. Perhaps foolishly, I gave an honest answer, saying that the evidence was more nuanced. While the average impact was quite high, the impact distribution is known to be long tailed, so it would have been better to use the median rather than the mean. And the median is as close to zero as makes no difference.
Academic: No it isn’t.
Me: It is, it’s been reported as that in the DCMS surveys for about the past five years. There are other sources showing the same thing.
Academic: No, that must be wrong.
Me: Um, it’s in the same table on the same page of the same document summarising the same analysis conducted on the same base data, by the same people working on behalf the same Government Department, at the same point in time. It’s one cell to the left of the cell showing the mean.
Academic: No it’s not.
Me: No, it is. It’s also summarised in text in the body of the report.
Academic: Well, there are methodological errors in that survey.
Me: The same survey quoted by your star speaker?
Academic: I’d have to look into it.
Me: So after arguing with me for five minutes, you’re now going to take a look at the evidence?
My parents brought me up to be polite by default, but at this point I couldn’t do much more than burst into laughter and walk away.
The lesson here (for me anyway) was that if you put up an argument that diverges from the accepted narrative, be prepared to be greeted with blank, uncompromising denial. Speaking personally, I’d have been happy to have been proven wrong, as long as I’d been shown to be wrong on the basis of evidence and a rational argument. Silly rabbit…
Anger
Where do I start? Maybe the conference where I gave a presentation on the impact of ransomware, arguing that it’s been hyped up, as shown by Government figures, and by figures issued by the cyber industry itself. One particular attendee (again, an academic, but that might have been a coincidence) became quite incensed at this. They misquoted a paper (one that I’d read, luckily), saying that cyber attacks and ransomware attacks specifically, had significantly affected levels of healthcare in a number of instances. So what did I have to say to that? Again, perhaps foolishly, I corrected their statement, saying that it was the knee jerk reaction of the cyber teams adding in more layers of security that had led to a reduction in efficiency. I may even have been rash enough to provide a verbatim quote from the paper, illustrating the point. Wow. Don’t do this at home, kids. The next set of rather more barbed comments were along the lines of “we’re not here to listen to this sort of stuff, we’re here to look at the way we can use technology to address the threats”. Basically, that I had no right to be in the room, and to waste their time with new ideas, and to provide suggestions on how we might do cyber more effectively. Stage One (ironically) being to move away from a narrative based on folklore.
Lesson Two: It’s a shameless reinterpretation of the original model, so apologies. But taking away the tenets that people have used as the basis of their thinking for the past twenty (?) years – the same basis they’ve used to conduct their business and lecture their students – can be seen as a kind of loss. You’re taking something very important away from them, and for some people, maybe in the case of practitioners who have been at this for a very long time, you’re attacking their sense of identity. So logically speaking, there are many reasons why the anger bubbles up and rationality goes out of the window. I get that. But as with denial, it’s very hard to move people on. The position seems to be that the narrative is all that matters, and it needs to be protected at all costs.
Bargaining
How to do this without being permanently blanked by people that I regard as friends – valued (and respected) friends in some instances? Not sure there is a way to do it, but I’ll be as circumspect as possible.
As you can see elsewhere on this very web site, I use the Travelex and KPN Logistics incidents as the basis of an argument regarding “superstitious thinking” – two events becoming linked in people’s minds, with one of them then being seen a causal factor in the other, even though the two events were unrelated. In the case of Travelex, anything up to $1Bn in hidden debt, plus financial irregularities, were the main triggers for the downfall of their parent company. In the case of KPN Logistics, about 500 other UK based logistics companies went bust in the same year, and for the same reasons – fixed cost base inflation against a background of declining demand. Yet the cyber mythology is that a ransomware attack caused both incidents.
All you have to do to affirm this ransomware theory is to ignore all the other evidence. Such as the evidence from the haulage industry body, saying that the economic conditions at the time constituted a ‘perfect storm’. Or the statement by the Financial Conduct Authority, threatening to fine Travelex’s parent company back into the Stone Age, for issuing misleading financial reports.
Sometimes I get this as a response: “I accept your argument that the companies concerned may have been in deep financial trouble prior to the ransomware attack. But surely it’s possible that the ransomware was the factor that tipped them over the edge?”.
Well, I guess so. But here’s a set of thoroughly researched facts and figures, comparing those companies to almost identical companies running under exactly the same operating conditions, same financial constraints, and in the same market at the same time. In both cases, the comparison company also went broke, even though they didn’t have a ransomware attack. The corollary being that it was more likely to have been the economic and operating conditions that caused these companies to go under, rather than the ransomware.
I don’t often get a positive response to that sort of counter. Or any response at all, frankly.
I’ll draw a line under it there. The message for me being that bargaining, while it might seem to be the first stage in moving towards acceptance, is in reality more like a last ditch attempt to squash the argument that cyber isn’t at the centre of the universe. And when bargaining fails, we cycle back to denial and anger. I won’t go into the detail of the instances where people that I’ve known and worked with for ages, and who openly accept that the industry needs shaking up, then disappear when I suggest that we should take some action to do just that. Bargaining, no matter which side it’s on, seems to have only a limited scope.
Depression
As I said, not everyone goes through every stage. I seem to be the one that’s got stuck in this one.
Acceptance
Yay! There are some people that get to acceptance. Well, I say “get to”. I’d say that mostly they come to the discussion already in that state. I’ve had some very nice responses to my presentations, organisers saying that the preso was well received (at least by some people) and attendees saying (publicly!) that the arguments presented were clearly based on common sense, and that it was unfortunate that others in the audience had their opinions largely driven by egos and bias. Which is all very nice, thank you.
I won’t embarrass the individual concerned, but I’ve also had correspondence agreeing that there’s a better way do cyber, starting from a realistic view of human behaviour. That correspondence also confidently asserted that ultimately common sense would win out, to the benefit of those companies and organisations who were prepared to take a more rounded view of security.
Despite the warm feeling (and I’m very grateful for the support), that is where I disagree. I honestly don’t think that anything will change. As pointed out by the individual concerned, they were (as of 2025) delivering presentations containing material from about ten years earlier. That is, they had been preaching the gospel for ten years, with no apparent effect. I looked at my notes, and realised that I’d started the underlying research for my book, over eight years ago. Same thing – same argument, same timeframe. Same outcome.
The implication being that the current situation is very stable, which supports the idea that security is socially constructed. If you want to change things, you need to introduce a new stakeholder, remove an existing stakeholder, or get one of the existing stakeholders to change their views. Not an easy option, any of them. The cyber industry sells compliance, not security, Government is interested in a profitable, expanding cyber industry, and customers are buying what they’ve been conditioned to buy (see “Phishing for Fools” by Shiller and Akerlof). That’s a very stable situation.
Acceptance of the idea that cyber can be done in a better way, however welcome that might be, isn’t going to change anything. There has to be action.
And just before you report me to SO15…
Envoi
If the cyber industry is interested in profit, and you’re offering a better way to do security (which might in the medium term, eat into those profits), then how much traction are you likely to gain? And given that EU-based thinking on legislation seems to be baked into the UK Government approach, leading to a mindset that compliance (not effectiveness) is the goal, how much traction will you see from an approach based on improving effectiveness? And as for the clients of the cyber industry, they’re getting exactly what they’ve been told to expect – compliance.
So out of all the stakeholders involved, who is left to influence, if you want to achieve change? Only the regulators, as far as I can see.
A Suggestion
If you accept that security can and perhaps should be done in a more effective way, then get real. Do what the other stakeholders are doing. Put pressure on the regulators. Constantly arguing from a position of logic, expecting people to be sensible, is pointless.
Get yourself a friendly MP. Someone that wants to make a name for themselves in the highly important area of cyber. Especially if doing so might lead to a number of well-rewarded NED positions. Get them to author a report (Blue Peter style, it may be handy to have one available that you prepared earlier), saying that oh, I don’t know:
Is the House aware that some 95% of cyber attacks on critical infrastructure involve the exploitation of human behaviour?
Much waving of order papers, shouts of “shameful”, and “something should be done”.
Further, is the House aware that according to figures released by the World Economic Forum, cyber crime will cost the global economy approximately $25Tn each and every year, by the end of 2027? And that cyber crime costs the UK economy specifically, around £22Bn per year?
Awed silence. Actually, that is a true statement, the WEF summary report for 2024 I think, contained that statistic. It’s bollocks of course, unsupported by any research, but it was in the report, so it must be true. The £22Bn figure was in a DSIT press release in 2025. Although it mysteriously vanished from later versions… 🤔
My proposal for world-leading legislation will put the UK on the front line in the fight against cybercrime. It’s time to get tough on the cause of this unnecessary drain on the pockets of hard working people, and put those funds into strengthening the NHS, and defending the nation. The Cyber Effectiveness Act will drive to the very heart of this problem – human error. Every company deemed to be part of the critical infrastructure will be required to implement a behaviour change programme, to replace their outmoded, ineffective security awareness training. Experts predict that this will reduce cybercrime by at least 70% in the first year, potentially limiting it to no more than 10% of current levels, by the end of this Parliament.
Wild cheering, especially from the Chancellor of the Exchequer. Big smiles from the MP, since they intend to be free and clear by the end of the current Parliament.
Will this work? Who knows? I’m not your Mum.
The cyber industry will probably be ok with it, at least in the short term, as it’s potentially a new revenue stream. What happens when they realise it’s cannibalising their existing tech offerings is a different issue. Still – Vorsprung durch Psychologie, as they say.
Customers? BAU, mate. More cyber legislation, more requirements to comply with. Standard model. Only this time, hopefully, compliance will lead to effectiveness, rather than just increasing revenue for suppliers.
Maybe we might also get lucky, with NCSC and/or the certification bodies kicking off a scheme making behavioural security a recognised specialisation.
So maybe it could work. Nobody has to significantly shift their position, and it makes use of existing mechanisms. And personally, I would love to see this happen, so if you’re of a mind to do it, crack on. And if you could – preferably before 10:00pm a week on Thursday…
First published 18th August 2025
Minor edits 18th April 2026