What cybersecurity gets wrong about people

Discover exclusive interviews and insights from the global Black Hat MEA community, in your inbox every week. 

This week we’re focused on…

Phenomenology – and why lived experience should guide cybersecurity. 

Why? 

Because most of us have spent the last few years very focused on tools. AI, LLMs, quantum, real-time detection. 

But the question we need to ask more often is: 

What’s it like to be a person using these systems? 

The real person 

Not the persona. Not the end user. The person. 

In philosophy, phenomenology is the study of lived experience; not what we think people do, but what it feels like to live through a process. We think phenomenology is increasingly relevant in cybersecurity. Because if Black Hat MEA 2024 taught us anything, it’s that we’re still designing security around systems – but the risk (and the opportunity) lies with people. 

Speaking to us on the exhibition floor, Craig Jones (Immediate Past Director Cybercrime at Interpol) said simply, “You can do great work using technology, even if you don’t fully understand it.”

But he added: “That’s why we need checks and balances.” Why? Because no matter how intelligent the tech gets, the way people interact with it is unpredictable; emotional, distracted, overloaded, overwhelmed. Human.

The lived experience of cybersecurity isn’t clean. It’s messy. And that messiness is where breaches happen.

We need to frame risk in reality 

Justin Ong (CISO and Chief Privacy Officer at Panasonic) talked about how AI is helping translate security into business language. And that’s really valuable. But what’s underneath that is more profound: we’re learning how to frame risk in ways that resonate with lived reality – not just with dashboards and KPIs.

This is important because increasingly, leaders in cyber are recognising that the future of security might depend less on the tech stack, and more on how well we understand human experience. 

You know this: 

• If a password policy feels punitive, it’ll get ignored
• If a secure-by-design feature breaks a user’s workflow, they’ll bypass it
• If no one feels responsible for a threat it won’t be resolved

That’s phenomenology in practice, and we ignore it at our peril. 

Caitlin Sarian (Cybersecurity Girl) told us, “It’s not just engineers anymore. It’s product people, business leaders, creatives.” It’s not just diversity of role – it’s diversity of experience. 

So we need to design security not just for experts, but for real people, in real moments.

Rethinking cybersecurity leadership based on real life

When we caught up with Dr. Leila Taghizadeh (CISO at Allianz) at the 2024 event, she highlighted the energy and perspective coming out of the Middle East. A region with a young, connected population rethinking what cyber leadership can look like. Not imported best practices, but lived ones.

We can keep pushing the edge of what machines can do. But if we don’t embed empathy into the design, delivery, and communication of cybersecurity, we’ll keep solving the wrong problems.

As the philosopher Maurice Merleau-Ponty said:

“The body is our general medium for having a world.”

In other words, all perception (and all risk) is grounded in experience.

Let’s stop designing for the persona, and start designing for the human. 

What’s a blind spot in cybersecurity you think we’re all missing? 

Open this newsletter on LinkedIn and tell us in the comment section.