Sarah Aalborg on Secure by Choice

What do people have to do with cybersecurity? A lot. As with other fields of human risk, it’s people that are typically the root cause of problems in the cybersecurity world. Which is where my guest’s expertise in behavioural design comes into play.

On this episode, I’m speaking with Sarah Aalborg, a cybersecurity and behavioural design expert who’s on a mission to change how organisations approach IT security.

Rather than focusing on firewalls and tech solutions, Sarah examines the human behaviours that can undermine even the best-designed security systems.

Her new book, Secure by Choice, challenges conventional security thinking by exploring how cognitive biases affect security professionals and how to use behavioural design to reshape security culture.

We discuss the pitfalls of traditional security training – particularly those phishing tests that feel more like traps than training – and how to flip the script by focusing on what we want people to do rather than what we want them to avoid.

Sarah shares practical strategies for using positive reinforcement, creating engaging training experiences, and making security less about fear and more about action.

By applying principles of behavioural science and risk-based thinking, Sarah explains how we can bridge the gap between security policies and everyday human behaviour.

Guest Biography
Sarah Aalborg is a cybersecurity expert and behavioural design advocate, focusing on how cognitive biases impact IT security professionals and their decision-making processes.

She is the author of Secure by Choice, a book that challenges conventional approaches to cybersecurity training by applying principles of behavioural science to security culture.

With a background in IT security spanning over two decades, Sarah speaks at major security events and consults with organisations on how to create more effective, engaging, and human-centric security programs.

AI-Generated Timestamped Summary
[00:00:00] Introduction

[00:01:00] Meet Sarah Aalborg – Why she wrote Secure by Choice and her journey into behavioural design.

[00:03:00] The '20-centimetre above the keyboard' exercise – How human inaction impacts tech security.

[00:05:00] Why phishing tests feel like entrapment – and how to flip the script.

[00:08:00] Turning phishing tests into positive reinforcement opportunities.

[00:10:00] How a simple 'Report Suspicious Email' button can change behaviours.

[00:12:00] The problem with fear-based messaging in cybersecurity.

[00:14:00] Why telling people what NOT to do isn’t effective.

[00:15:00] Sarah’s four-step framework for creating risk-aware security cultures.

[00:17:00] Why most security training is designed to address the wrong problem.

[00:20:00] The McDonald's kiosk example – What we can learn from other industries.

[00:25:00] The importance of actionable examples in security training.

[00:30:00] The generative AI paradox – When tech meets human bias.

[00:35:00] Why AI is the ultimate behavioural science challenge.

[00:40:00] The 'Operating System' analogy – Why the human brain is still running Stone Age software.

[00:50:00] Why cyber professionals need to look outside their own industry for inspiration.

[00:55:00] The role of curiosity and exploration in designing effective security programs.

Links:Sarah’s website: https://securebychoice.com/
Sarah on LinkedIn: https://www.linkedin.com/in/sarah-aalborg-bb348a1/
Secure by Choice:https://securityblendbooks.com/products/secure-by-choice?