It is time to retire one of the most damaging phrases in cyber security.
If you have spent any time in the cyber security industry, you will have heard the phrase countless times: “People are the weakest link.” It appears in conference presentations, vendor marketing materials, awareness training platforms, and boardroom conversations. It has become so embedded in the language of the industry that many professionals repeat it without questioning whether it is actually true, or whether it is doing more harm than good.
At Unity Group Solutions, we believe it is doing significant harm. And we believe it is time the industry retired it for good.
Where the Narrative Comes From
The “weakest link” framing emerged from a legitimate observation: the majority of successful cyber attacks involve some form of human interaction. Whether it is clicking a phishing link, reusing a compromised password, or falling for a social engineering call, people are frequently the entry point that attackers exploit.
But there is a critical difference between acknowledging that attackers target people and concluding that people are therefore the problem. The first is a statement about attacker methodology. The second is a judgement about the workforce. And that judgement has consequences.
The Damage Fear-Based Messaging Causes
When organisations frame their employees as the weakest link, they set the tone for everything that follows. Security awareness becomes something done to people rather than with them. Training feels like a reprimand rather than an opportunity to learn. And the underlying message employees receive is clear: you are a liability, and the business needs to be protected from you.
The result is predictable. People disengage from security. They stop paying attention to awareness communications because the messaging feels hostile or condescending. They become reluctant to report mistakes or suspicious activity because they fear being blamed or disciplined. And in the worst cases, they actively circumvent security controls because those controls feel like obstacles imposed by a team that does not trust them.
This is not speculation. Research consistently shows that fear-based messaging produces short-term compliance at best and long-term disengagement at worst. People do not learn effectively when they are anxious, ashamed, or afraid. They learn when they feel supported, respected, and genuinely motivated to do the right thing.
Reframing the Conversation
What if, instead of telling employees they are the weakest link, organisations told them they were the strongest line of defence? Not as a hollow motivational slogan, but as a genuine reflection of what an empowered, informed workforce can achieve.
When people understand the threats they face, know what to look for, and feel confident in how to respond, they become an incredibly effective layer of protection. They spot phishing emails that technical controls miss. They challenge suspicious requests that automated systems cannot evaluate. They report anomalies that would otherwise go unnoticed. They do all of this not because they are afraid of consequences, but because they understand why it matters and they feel trusted to act.
This is not a theoretical position. At Unity Group Solutions, we have seen organisations achieve up to a 90% reduction in phish-prone behaviour through programmes built on empowerment rather than fear. The difference is not the content of the training. It is the culture surrounding it.
What an Empowerment-Led Approach Looks Like
An empowerment-led approach to security awareness starts with a fundamental shift in mindset. It means treating employees as partners in security rather than risks to be managed. In practice, this looks like designing training that is engaging, relevant, and tailored to the specific roles and risk profiles within the organisation. It means creating communications that are clear, accessible, and free from jargon. It means building a reporting culture where people feel safe to flag mistakes and suspicious activity without fear of punishment. And it means measuring success not just by click rates on phishing simulations, but by the behaviours, attitudes, and cultural indicators that tell you whether people are genuinely engaged.
It also means being neuroinclusive. Not everyone learns the same way, processes information the same way, or responds to the same stimuli. Effective awareness programmes are designed with this in mind, ensuring that training materials and delivery methods work for people of all neurotypes and backgrounds.
A Challenge to the Industry
We want to challenge every cyber security professional reading this to stop and think the next time they hear or use the phrase “weakest link.” Ask yourself what message it sends to the people you are trying to protect. Ask whether it motivates genuine engagement or whether it simply reinforces a culture of blame. And ask whether there might be a better way.
At Unity Group Solutions, we think there is a better way. It starts with trusting your people, investing in their knowledge and confidence, and creating an environment where security is something everyone owns, not something that is imposed on them from above.
Your people are not your weakest link. Given the right support, the right culture, and the right approach, they are your greatest asset.
Ready to build genuine cyber resilience through your people? At Unity Group Solutions, we design and deliver empowerment-led security awareness programmes that create lasting behavioural change across your organisation. Contact us today via hello@unitysolutions.org.uk.
