In cybersecurity, mistakes can seem like landmines waiting to derail careers and reputations. Still, despite our best efforts and security protocols, they happen, leaving your colleagues feeling ashamed or defensive—personally responsible yet powerless to help themselves.
Fear of ridicule and blame often make these human errors go unreported or hidden, even though they hold a surprising power: mistakes are catalysts for resilience, learning, and ultimately, stronger security practices.
This article explores the untapped potential of getting it wrong, from time to time. From nurturing a culture of psychological safety to reframing how we perceive failure, we'll see how you and your organization can make it easy and safe to report mistakes, turn them into valuable lessons, and adapt cybersecurity training to prevent them from happening again.
The cost of perfection in human risk management
Expecting your colleagues to never make mistakes in their day-to-day security practices overlooks some basic truths about human behavior.
For one, security isn’t what motivates most people. They’re motivated by getting their job done and feeding their families. If security measures get in the way, they find work-arounds, often unintentionally putting themselves and their organizations at risk. It's not that they want to jeopardize security—it's just human nature to prioritize immediate needs.
And yet, human cyber risk management practices often label human errors as sheer carelessness or incompetence, letting the fear of consequences define the workplace culture—consequences like embarrassment, extra work, feeling guilty or even getting fired, damaging reputations, or missing out on career opportunities.
This fear fosters an environment where colleagues hide mistakes from one another instead of acknowledging and learning from them. Rather than promoting openness and continuous improvement, the focus shifts to assigning blame and tightening controls.
People are not “the weakest link” — our understanding of people is
Perfection tries to fix wrong behavior, instead of trying to understand why people behave the way they do. It assumes that human behavior is wrong, broken, and that we should fix it, treating people as human risk components that can be controlled, not as individuals.
In this environment, it’s easy for your colleagues to feel like any mistake is solely their fault, especially if they think of themselves as the “weakest link” in the security chain. And with so many companies reinforcing that belief, who wouldn't feel that way?
Genetic testing giant 23andMe blamed a data breach on users not updating passwords, when really, the breach stemmed from credential stuffing—a known issue exacerbated by the company’s own security lapses. Uber's secretive culture discouraged employees from reporting security issues and tried to cover up a massive data breach that exposed the data of 57 million users.
Both instances show how these companies shifted responsibility onto the people that were most affected, rather than taking accountability themselves, leading to serious security failures.
The truth is, people are complex. And the reasons they make security mistakes are just as sophisticated:
Falling for phishing attempts: new hires are significantly more susceptible to phishing attempts, possibly due to a combination of factors that includes no previous training, the pressure of a new job, and the eagerness to make a good impression when the "CEO" asks you to buy some gift cards.
Sharing credentials: in fast-paced work environments where collaboration is key, team members might share login credentials for a work laptop to access files quickly—convenience at the risk of data breaches.
Clicking suspicious email links: when folks return from vacation and are rushing to get through a high volume of emails, their vigilance may be lower, making them hastily click on a link in what appears to be an urgent email from their boss.
Ignoring security warnings: sometimes, individuals overlook security warnings because they're in a hurry or find the constant alerts annoying—like dismissing a pop-up warning about an outdated software update because it interrupts their workflow or not patching their system because it takes their attention away from primary tasks.
Not considering security risks: people often make mistakes in the name of speed or efficiency; like using direct output (including code) from generative AI without security checking it or not budgeting for security in product or operations because they’re chasing features rather than boring protocols.
If we really want to learn from mistakes in risk management, we need to dig deep into the reasons behind them without being afraid of what we find. This way, we create cybersecurity processes that help our colleagues instead of setting them up to fail.
Expecting perfection makes you miss learning opportunities
To you, cybersecurity is useful, effective, and genuinely interesting. Your colleagues, however, often see cybersecurity as a high-stakes environment where one wrong click, a reused password, or even an accidental false report could have serious consequences.
With data breaches, financial losses, or reputational damage on the line, it's no wonder they choose to play it safe, avoiding risks and new approaches.
So they don’t report suspicious emails, just in case they’re wrong and end up bothering someone—or worse, looking uninformed. They don’t tell colleagues when they fail a phishing test and are forced into a generic course. And they start to see cybersecurity training as punishment, rather than a learning opportunity.
This is what stigmatizing mistakes at work does:
It makes cybersecurity training a box-ticking exercise instead of a chance to build real security skills.
It discourages people from engaging with security materials, slows down progress, and leaves your organization vulnerable to new threats.
It stifles innovation and learning in a field that’s supposed to be all about creativity and challenging the rules.
A culture of safety, where people feel comfortable to make, report, and learn from their errors, is how cybersecurity awareness grows and evolves:
It gets your colleagues to care about security because it clicks with their needs, addresses their challenges, and shows them that their reactions and emotions make them stronger, instead of vulnerable.
It creates an environment where people make good security choices because they want to and because they believe they can.
It means your job isn’t to pinpoint mistakes or call out colleagues; instead, it's about teaching people secure habits and giving them the tools, context, and guidance they need to act on them.
We learn best from mistakes when we feel safe to report them
Time and again we've seen why mistakes are incredible opportunities for learning, adapting, or even innovating. Like when a $0.75 accounting error led Clifford Stoll to uncover an international hacking ring, or with the mistakes that blessed us with penicillin, post-it notes, or non-stick pans.
Here are 5 ways in which changing your approach to human error can boost your cybersecurity program:
1. Mistakes provide real-world examples that make training more relevant
They make abstract ideas like security much more practical and easier to grasp, helping your colleagues learn from real-life lessons that hit home.
Someone who accidentally shares their login credentials and gives away access to confidential files is a clear example of why they need to use two-factor authentication—a lesson they’ve had to learn the hard way.
When the rest of the team sees this kind of thing happen, it also helps them understand the importance better than just talking about it, encouraging everyone to be more responsible with their own work.
2. Mistakes improve cybersecurity efforts and encourage people to take better actions
When someone reports a security incident, it gives you an opportunity to fix a gap in your cybersecurity awareness training.
Suppose a colleague who struggles with technology reuses their password across multiple platforms, and one of those platforms gets breached.
Instead of reprimanding them, hold interactive cybersecurity exercises that highlight how the elements of their work are connected and the domino effect a single compromise can have on an individual, as well as the group—and how an attacker takes advantage of that.
3. Repeated mistakes in specific areas can identify patterns of risky behavior
Part of your job is to observe behavior patterns over time, ideally without compromising your colleagues’ privacy. Understanding why these bad behaviors happen where they do (or why good ones don’t) allows you to craft security controls that work with people, instead of getting in their way.
For instance, if a department frequently mishandles sensitive data, you might look into making adjustments to their workflow (like restrictive policies) that cause bad behavior to happen. You may also consider training specific roles or part of your organization based on aggregated data.
4. Mistakes show you who needs extra help and what kind
Mistakes are an opportunity to give someone the help they need, where and where they need it.
Just like a tutor helps a student with specific problem areas, security training can be personalized, even based on anonymous behavioral data. For example, if a department repeatedly falls victim to phishing attacks, you can identify common triggers. Then, refine their training modules to simulate these scenarios and help them feel better equipped to handle cyber threats.
5. Mistakes create a valuable feedback loop
When you show people you care about their safety, they help care for your organization. Colleagues who inadvertently open attachments that result in malware infections get guidance and learn at their own pace to do better next time they get a dodgy email. Then, they pay it forward by sharing their experience with team mates.
This ongoing learning means people feel safer reporting issues and are more engaged in following security protocols because they understand the reasons behind them.
How to develop a cybersecurity culture that embraces mistakes
Psychology teaches us that safety in the workplace is defined by more than just policies and procedures; it’s about creating a space where people can admit vulnerabilities and discuss problems openly.
These eight practical strategies encourage openness, learning, and proactive risk management, making it easy for your colleagues to report mistakes:
1. Be open, approachable, and trustworthy
When they make a mistake, people need someone they can turn to for support and guidance. Someone who will actively listen to their cybersecurity concerns and meet them with genuine interest, empathy, and thoughtful responses. Someone like you.
Be friendly, available, and clear in communication. Let your colleagues know they can talk to someone who will listen, that their privacy will be respected, and that admitting mistakes won't put their job at risk. This should be a company-wide effort and an important part of the conversation around security.
Encourage questions and create an atmosphere where curiosity is welcomed. This is especially helpful in remote work setups, where it helps combat feelings of isolation and burnout, ensuring that no one feels alone in handling security issues.
Collaboration is natural here—you're part of a team that tackles security issues together, whether in group discussions or one-on-one chats.
2. Encourage open dialogue
Poor communication is a major roadblock in getting your colleagues to adopt cyber-safe habits.
Cybersecurity exercises are a great way of encouraging everyone to talk openly about this topic by simulating real incidents. Folks can share their experiences, ask questions, and suggest solutions without fear of being criticized or embarrassed. Active listening is key here—it’s not just about hearing what someone’s saying but understanding their perspective and learning from it.
Exercises also help you show that reporting incidents or vulnerabilities is not only welcomed—it’s essential to strengthen everyone’s overall security. Instead of hiding mistakes, these discussions encourage your colleagues to turn them into teachable moments.
3. Use language that supports, not blames
The way you talk about security shapes how your colleagues react to it. Make it feel approachable, considerate, and genuinely helpful on a personal level. When mistakes happen, approach them with positive curiosity rather than frustration and use supportive language to show you understand what they’re going through.
Here’s what that can look like:
| From assigning blame | To supporting improvement |
|---|---|
| Someone clicked on a phishing email and we lost €10,000 | How we turned a €10,000 business email compromise scam into a workflow that prevents this type of attack |
| A team member accidentally downloaded malware that infected our network | This bite-sized course helps you handle and report suspicious downloadables safely—and it only takes 15 minutes! |
| A weak password led to a breach of client data | Here are the 3 steps you can take to help us improve password strength across the organization |
4. Share knowledge
Sharing knowledge in cybersecurity means using your collective wisdom to stay ahead and make your organization more resilient. It's not just about fixing problems but also about openly discussing what went wrong, why it happened, and what you're doing to make things better with everyone involved—team members, managers, and other departments.
Say a phishing email successfully tricked an employee into revealing their login credentials. How convincing was the email? What were the red flags? Discuss how attackers used the compromised credentials to access which data. Then, propose improvements like enhanced phishing awareness training, using multi-factor authentication, and improving email reporting and response procedures.
Use different ways to spread this information effectively—meetings, presentations, reports, and training sessions—and make sure everyone gets the message. By sharing stories of past slip-ups and how they helped strengthen defenses, you turn setbacks into successes and give colleagues the confidence to come forward in the future.
5. Lead by example
When things go wrong, people look to leaders for guidance. Show vulnerability and openness by admitting your own mistakes and discussing how you addressed them. This sets a powerful example for your colleagues and encourages them to do the same.
Involve management in cybersecurity exercises to help them understand and lead the challenges firsthand. A breach simulation exercise, for example, can help your executives experience the chaos of a data scenario and the impact of their choices. It might also help earn a bigger budget to improve cybersecurity in your organization.
6. Give supportive feedback
Constructive feedback is powerful. It’s not about pointing fingers when something goes wrong; it’s about understanding why it happened and figuring out how to prevent it in the future.
When someone comes to you with a concern or a mistake, frame your feedback to emphasize learning and improvement. Focus on the systemic factors that contributed to the mistake rather than blaming individuals. Respond with empathy and reassurance, acknowledging their feelings and offering support.
Say you’ve detected unauthorized access to customer data. A colleague figures out they’re the breach’s origin—they left their work laptop unlocked in a cafe. What do they do now? Explain how leaving their laptop safe at the office has more advantages (and lower risk) than taking it home to work late. Together, you can pinpoint and fix the weaknesses in your access control systems that led to this incident, and prevent it from happening again.
7. Reinforce what works
Celebrate instances where mistakes led to valuable insights or improvements in cybersecurity practices. It will give folks a sense of achievement for their good cybersecurity actions.
Take, for instance, the Swedish speed camera lottery experiment. Drivers who stuck to the speed limit could win money in a lottery funded by fines from speeders. This not only punished those who sped but also rewarded safe drivers, making roads safer. Overall, average speeds dropped from 32 km/h to 25 km/h, showing how this positive approach can change behavior for the better.
Stockholm’s trial is a brilliant example of using gamification to nudge people towards safer behavior without just relying on fear of punishment. You can bring the same idea into your cybersecurity training by mixing things up with engaging formats like videos, interactive elements, quizzes, and a rewarding point system. This kind of gamified e-learning acts as a teaser to generate interest for what really matters—understanding cybersecurity and acting on it—and keeps your team focused and excited about their progress.
8. Integrate lessons from mistakes into security training
Analyzing and learning from each human error isn’t enough to truly impact your security practices. To see real change, you need to incorporate these lessons into your cybersecurity education programs. This not only strengthens your digital security but also shows appreciation for everyone's efforts to keep the organization safe.
Think of phishing simulations, for example. Instead of just running these exercises to catch mistakes, you can use them as valuable teaching moments, while maintaining your colleagues’ privacy and not putting anyone on the spot:
When someone clicks on a simulated phishing email, gather the team to discuss the simulation results openly but anonymously.
Highlight what tell-tale signs the simulation included and why the email was suspicious.
Provide practical tips on spotting phishing attempts in the future.
Help people develop resilience and confidence in handling mistakes.
This way, you shift the focus from fault to learning, empowering your colleagues to admit mistakes without fear.
Security starts with understanding what your colleagues need
The status quo on human error needs to change. We’ve learned from years of psychology and human reliability research (and decades of practice) that just setting strict rules and draining people’s energy with frustrating, fear-based tactics doesn’t work. People make mistakes, and it’s up to us, as security professionals, to transform them into stronger security practices.
At Secure Practice, we understand that effective cybersecurity education programs need to be engaging and practical, tailored to meet the needs and specific challenges your colleagues have, instead of trying to force them into artificial patterns.
That’s why we’ve built interactive, game-like learning modules that make cybersecurity relevant and interesting for everyone—yes, even the HR, accounting, and legal departments—and makes them care about, talk about, and act on cybersecurity needs and triggers every single day.
We believe in helping you create a culture where your colleagues feel safe to make and report mistakes. Our tools allow for anonymous reporting, encouraging communication and a proactive approach to cybersecurity. Use them to create bespoke, positive learning journeys that respect colleagues’ pace and privacy.
Immediate feedback is another key aspect of our approach. With real-time insights into the impact of their action, individuals understand the consequences of their decisions and how to make safer ones. This instant reward ensures they always have a positive experience with cybersecurity.
We measure the effectiveness of our training through actionable human risk metrics that assess real-world improvements in cybersecurity awareness and behavior. You can use this security behavior data to understand, track, and improve your cybersecurity efforts.
By creating a safe learning and reporting environment and using Secure Practice's solutions, you're not just changing mindsets—you're translating those changes into real positive change in security resilience.
In turn, you earn trust and support throughout your organization, from colleagues to top executives. Together, you can turn challenges into opportunities and power up your security awareness program.
