Is it ethical to use real breach stories in security awareness training?

Yes, when stories are used to teach specific behaviors, preserve anonymity where needed, and avoid blame or sensationalism. The key is focusing on decision points and what employees can learn, not on humiliating victims or creating fear. Public availability doesn't automatically make a breach appropriate for training — context and potential harm must be considered.

How do you operationalize ethical review with limited resources?

Implement a lightweight checklist based on five questions: What behavior am I trying to change? Does this story teach that behavior? Who could be hurt and have I minimized harm? Is timing appropriate? Would I be comfortable if this were about my company? Involve diverse perspectives from HR or other departments for a quick review, and be transparent about whether examples are real or 'based on true events.'

Ethical Security Storytelling: Using Real Breaches in Training

Name: Ethical Security Storytelling: Using Real Breaches in Training
Uploaded: 2026-04-28T17:54:01-04:00
Duration: 34 min 6 s
Description: TL;DR Real breach stories drive behavior change more effectively than generic warnings because they provide concrete, relatable examples that show employees what security vigilance actually looks like in practice. Ethical security storytelling requires...

Hoxhunt

04/28/2026

0 (0%)

Report Like Favorite

TL;DR

Real breach stories drive behavior change more effectively than generic warnings because they provide concrete, relatable examples that show employees what security vigilance actually looks like in practice.
Ethical security storytelling requires focusing on decision points and empathy rather than victim-shaming, technical overwhelm, or sensationalism — public availability of breach details doesn't automatically make them appropriate for training.
Awareness teams should implement lightweight ethical review processes using a five-question framework: What behavior am I changing? Does this story teach it? Who could be hurt? Is timing appropriate? Would I accept this about my company?
Cultural context significantly impacts how breach stories should be framed, particularly around concepts like challenging authority, with regulated industries requiring more sensitivity than startups with blame-free cultures.
Effective measurement goes beyond engagement to track actual behavior change and security outcomes, with continuous micro-trainings in native work environments outperforming traditional quarterly compliance courses.

Why Real Breach Stories Work in Security Training

This podcast episode explores how security awareness teams can leverage real cyber incidents to drive meaningful behavior change without crossing ethical boundaries. Host Noora Ahmed-Moshe and guest David Badanes examine why actual breach examples outperform generic warnings — real stories provide concrete, sensory details that help employees understand what 'being careful' actually looks like in practice. The discussion draws on research from Heath and Heath's 'Made to Stick,' emphasizing that humans are wired to remember concrete experiences over abstract concepts. However, the effectiveness of real breach stories depends entirely on how they're presented, requiring awareness managers to balance impact with empathy and respect for victims.

The Ethical Framework for Breach Storytelling

The conversation establishes clear guidelines for ethical security storytelling, centered on avoiding victim-shaming, excessive technical detail, and sensationalism. Badanes introduces a five-question ethical test: What behavior am I trying to change? Does this story teach that behavior? Who could be hurt? Have I minimized harm? Would I be comfortable if this were about my company? The framework emphasizes focusing on decision points rather than consequences, helping employees develop empathy by putting themselves in the victim's position. Public availability of breach information doesn't automatically make it appropriate for training — context, timing, and potential harm must all be considered. The episode stresses that ethical storytelling should reinforce positive security culture by modeling the right response rather than punishing mistakes.

Operationalizing Ethical Review and Cultural Considerations

For resource-constrained awareness teams, the episode provides practical guidance on implementing lightweight ethical review processes. Badanes recommends involving diverse perspectives from HR and other departments to ensure stories don't inadvertently cause harm, while maintaining transparency about whether examples are real or 'based on true events.' The discussion addresses cultural variations in how breach stories should be framed, noting that concepts like challenging authority or stop-work authority may need different approaches across global organizations. The episode concludes with measurement guidance, emphasizing that true effectiveness goes beyond engagement metrics to behavior change and actual security outcomes. Continuous micro-trainings delivered in employees' native work environments — such as simulated phishing in actual inboxes — prove more effective than quarterly compliance courses.

Chapters

0:00 - Introduction to Ethical Security Storytelling
2:21 - Why Real Breach Stories Outperform Fiction
3:40 - Ethical Risks of Using Real Incidents
5:03 - Framework for Ethical Storytelling
8:27 - Choosing What to Include in Stories
9:24 - Operationalizing Ethical Review
19:01 - Practical Formats and Delivery Methods
27:10 - Cultural Context and Global Considerations
31:36 - Five-Question Ethical Test and Conclusion

Key Quotes

2:44 "We really believe more and understand more the concrete versus the abstract. If you look at Heath and Heath's book, Made to Stick, one of the things that I draw from that is that we're really drawn to remember concrete sensory details."
6:25 "Empathy is the key thing here of thinking that could be me. You also really don't want to go into too much technical detail and drowning people out with IOCs or CVE numbers when the heart of what you're trying to focus on for these is really behavior change."
9:14 "Public availability is the start of the ethical analysis, not the end."
10:49 "Barbara Corcoran of Shark Tank fame, her company lost $400,000 to a BEC scam. And she's talked about it anywhere where it's been asked on podcasts and news shows. This becomes a really ideal training example, because one, the victim herself, she decided to go public."
31:51 "What behavior am I trying to change? Does this story actually teach that behavior? Who could be hurt? And have I taken the steps to minimize harm? Is the timing appropriate? And would I be comfortable if this were about my own company? ..."

Categories:

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

04/29/2026

12:00 PM

04/29/2026

Strategies for Safeguarding AI in Applications, Agents, and APIs

https://www.truthinit.com/index.php/channel/1893/strategies-for-safeguarding-ai-in-applications-agents-and-apis/
04/30/2026

10:00 AM

04/30/2026

Insights from the 2026 Keepit Annual Data Report on SaaS Data Protection

https://www.truthinit.com/index.php/channel/1868/insights-from-the-2026-keepit-annual-data-report-on-saas-data-protection/
04/30/2026

01:00 PM

04/30/2026

The New Economics of a VMware Exit

https://www.truthinit.com/index.php/channel/1880/the-new-economics-of-vmware-exit/
05/06/2026

02:00 AM

05/06/2026

Transforming AI's Potential: Proactively Identifying Attacks Before Breaches Occur

https://www.truthinit.com/index.php/channel/1886/transforming-ais-potential-proactively-identifying-attacks-before-breaches-occur/
05/06/2026

10:00 PM

05/06/2026

World Password Day: Strategies for Managing Your Passwords Effectively

https://www.truthinit.com/index.php/channel/1913/world-password-day-strategies-for-managing-your-passwords-effectively/
05/07/2026

05:00 AM

05/07/2026

World Password Day: Strategies for Managing Your Passwords Effectively

https://www.truthinit.com/index.php/channel/1914/world-password-day-strategies-for-managing-your-passwords-effectively/
05/07/2026

01:00 PM

05/07/2026

World Password Day: Strategies for Managing Your Passwords Effectively

https://www.truthinit.com/index.php/channel/1915/world-password-day-strategies-for-managing-your-passwords-effectively/
05/12/2026

01:00 PM

05/12/2026

Transforming Black Box to Glass Box: Revealing Hidden Threats and AI Risks through Data Lineage

https://www.truthinit.com/index.php/channel/1895/transforming-black-box-to-glass-box-revealing-hidden-threats-and-ai-risks-through-data-lineage/
05/12/2026

11:30 PM

05/12/2026

Effective Strategies for Safeguarding Active Directory and Minimizing Data Exposure

https://www.truthinit.com/index.php/channel/1888/effective-strategies-for-safeguarding-active-directory-and-minimizing-data-exposure/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming Black Box to Glass Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1894/transforming-black-box-to-glass-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/