Why People Are the Biggest Opportunity in Cybersecurity
An interview with Unspoken Security founder and veteran intelligence professional, AJ Nash
For more than 25 years, AJ Nash has worked at the intersection of intelligence, security, and human behavior; he has built leading intelligence teams in both government and the private sector. In 2024, he founded Unspoken Security to continue advising organizations on risk, resilience, and the evolving threat landscape, while hosting the Unspoken Security podcast. With an M.A. in Organizational Leadership from Gonzaga University and a deep commitment to servant leadership, AJ is known for a vendor-neutral, human-centered perspective: security is not just a technology problem, it’s a people problem.
That framing has never been more urgent. As AI accelerates the scale and sophistication of social engineering—through LLM-generated phishing emails, voice cloning, and deepfakes—cybercriminals are increasingly targeting emotional vulnerabilities rather than firewalls. Urgency, fear, obedience, curiosity: these are not technical flaws, but human susceptibilities. Effective Human Risk Management (HRM) must account for how employees actually think and decide, often operating in fast, intuitive “system one” mode rather than slow, analytical “system two” reasoning.
For organizations, this means moving beyond compliance-based training toward adaptive, personalized HRM programs that continuously update behavioral profiles, identify emotional risk signals, and measure human-layer resilience. At scale, deception is becoming easier and cheaper for attackers. In response, individualized instruction, ongoing assessment, and culture-driven security awareness are no longer optional—they are strategic imperatives.
In this conversation with NINJIO, AJ Nash explains why employees are not the weakest link, but the greatest opportunity to build lasting cyber resilience.
NINJIO: You’ve spent decades studying intelligence and the human element of security. Why has emotional susceptibility become one of the most critical risk factors organizations must manage?
AJ Nash: People are the most targeted link in any organization—and what makes people different from machines is emotion. Adversaries don’t need to “hack” a server if they can manipulate a human being. When someone is operating from fear, anger, outrage, or anxiety, they’re not acting rationally. The more susceptible a person is to emotional manipulation, the more risk they can become to the organization.
NINJIO: Many organizations still treat security awareness as a periodic training exercise. What are the biggest limitations of “check-the-box” models?
AJ Nash: It usually doesn’t build a culture of security. People memorize answers, multitask through training, and complete it for compliance—so it looks like the organization cares, but employees aren’t internalizing the risks. Better training is ongoing. It’s cultural. It’s built into how the organization operates every day, not something you “do” once a quarter.
NINJIO: Attackers exploit urgency, fear, curiosity, and authority. Which drivers are most effective today, and why?
AJ Nash: Urgency and fear are huge, often tied to authority. Business email compromise works because it puts an employee in a pressure cooker: “Pay this now,” “Do it immediately,” “The CEO needs it.” If the culture is fear-based and authoritarian, attackers love that environment. Employees start thinking, “What’s worse, getting fired or sending the money?” And too often, they send the money.
NINJIO: You’ve said this comes from the top. How does leadership shape whether those tactics succeed?
AJ Nash: A fear-based, hierarchical culture creates an unsafe organization. Healthy cultures empower people to push back, even against senior executives, because the process matters. If an employee can say, “We have a procedure for paying bills,” without fearing consequences, that organization is dramatically harder to exploit.
NINJIO: Most employees operate in “fast, intuitive” thinking during daily workflows. How should leaders design HRM programs for that reality?
AJ Nash: People are overloaded, and most work in “system one” mode. That makes them more prone to rash decisions and mistakes. Leaders need to explicitly give permission to slow down and get it right. Simple tools like checklists are powerful because they force a process and create a speed bump—just enough to reduce impulsive errors without stopping work.
NINJIO: AI-driven phishing, voice cloning, and deepfakes are changing the game. How is AI reshaping emotional manipulation, and what should CISOs prepare for?
AJ Nash: AI makes bad actors better at everything. The old “look for grammar errors” advice is outdated. Now we’re dealing with voice phishing, smishing, and deepfakes—even fake Zoom calls where everyone but the target is synthetic. We’re entering a “post-truth” environment where you can’t rely on what you see or hear. CISOs need to build verification habits into culture: slow down, validate requests, and create norms where employees can challenge unusual behavior without fear.
NINJIO: Leaders often frame insider risk in technical terms. How should organizations build behavioral risk profiles without getting “creepy”?
AJ Nash: Mature organizations already do this, but it’s a balancing act. Behavioral risk is about understanding what’s normal versus abnormal—without turning into surveillance for its own sake. People going through major stress like loss, illness, divorce can become more vulnerable to manipulation or poor decisions. The point is to be proactive and compassionate, not intrusive.
NINJIO: How do you do continuous monitoring and adaptive risk assessment without creating mistrust?
AJ Nash: Communication and ethics are key. People should understand what is being monitored and why. Monitoring helps detect compromises (like credentials being used from an unexpected location), but leadership must ensure the program isn’t adversarial. I’ve met insider-risk teams that want to “catch” people, and that’s a recipe for an unhealthy organization. The best teams are focused on prevention and protection, not hunting employees.
NINJIO: You offered three pillars for building trust—can you share them here?
AJ Nash: 1) Transparency, 2) communication (with integrity), and 3) doing what you say you’ll do. Lots of organizations have values on the wall, but nobody can name them and nobody lives them. Trust collapses when values are branding instead of behavior, especially when accountability only applies at the bottom.
NINJIO: What role does culture play in resilience against manipulation-based attacks? Give us the sound bite.
AJ Nash: Healthy cultures create safer organizations. Period. Exhausted, disengaged employees are easier to manipulate. People who feel respected, supported, and connected to mission make better decisions; and they report problems faster.
NINJIO: When companies implement personalized HRM strategies, what mistakes do you see most often?
AJ Nash: Overreaching. Teams can drift into a “creepy” surveillance mindset, pouring too much personal data into systems. That can introduce bias and misread signals. For example, someone’s life story or background might look alarming on paper, but this doesn’t necessarily mean they are a threat. Use reliable, relevant data. Stick to what supports the job and the risk model. And keep compassion as part of the discipline.
NINJIO: What are the signals human risk exposure is rising—even if technical defenses look strong?
AJ Nash: You can feel it. If people are tense, unhappy, and on edge, risk is often higher. Especially insider risk. Healthy team dynamics and communication are good signs. But it’s a balance: you can’t be “kumbaya” with no security rigor. Still, culture is a leading indicator of whether people will report issues, follow processes, and resist manipulation.
NINJIO: If you were advising a CISO building a next-gen HRM program, what three capabilities would you prioritize first?
AJ Nash: Start with culture and leadership messaging: why security matters, and how you want people to behave when mistakes happen. Then hire the right people for HRM: professionals who understand risk and humans, not trophy hunters chasing metrics. Tools matter too—pattern-of-life and anomaly detection, normal data flows—but the core is still people over technology.
NINJIO: How should executives reframe human risk from “compliance” to strategic resilience?
AJ Nash: Stop treating HRM like a trap designed to catch employees. Most people want to do well and avoid mistakes. Strategic resilience comes from building a culture where security is part of identity and supported by real intelligence, ongoing training, and even fun: competitions, creative learning, engaging content. Make it normal. Make it shared. Most importantly, make it human.
NINJIO: With regard to cybersecurity, what’s the lesson you keep coming back to?
AJ Nash: Toxic people are terrible. And organizations need diverse perspectives—not just on paper, but in practice. Diversity isn’t only race or gender; it’s background, experience, geography, socioeconomic context. But it only works if everyone has a voice. The best environments are where the right answer wins, regardless of rank. That’s how you widen your imagination, spot threats earlier, and build real resilience—especially during disruption like M&A, layoffs, or leadership change, when fear and stress spike risk.
About AJ Nash
AJ Nash is a veteran intelligence and security leader with more than 25 years of experience building and leading intelligence teams across government and the private sector. In 2024, he founded Unspoken Security, LLC, where he advises organizations on intelligence, security, and the human element of risk, and hosts the Unspoken Security podcast. Known for his independent, vendor-neutral perspective, AJ is a frequent speaker across webinars, podcasts, radio, television, and live events. He holds an M.A. in Organizational Leadership from Gonzaga University and is passionate about servant leadership, diversity of thought, and building healthier, more resilient organizations.
Frequently Asked Questions
A: Human Risk Management (HRM) focuses on understanding and reducing security risks created by human behavior. Instead of relying solely on technical defenses, HRM programs evaluate how employees make decisions, respond to pressure, and interact with potential threats like phishing or social engineering. Effective HRM combines security awareness training, behavioral insights, cultural reinforcement, and ongoing risk measurement.
A: Manipulating people is often easier and cheaper than hacking technology. Attackers exploit emotions such as urgency, fear, curiosity, and obedience to authority to pressure employees into making quick decisions. These emotional triggers can override careful thinking, making social engineering attacks like phishing, business email compromise, and voice scams highly effective.
A: AI enables attackers to generate highly convincing phishing emails, clone voices, create deepfake videos, and automate large-scale manipulation campaigns. These tools remove traditional warning signs like poor grammar or obvious impersonation, making attacks harder to detect and increasing the need for strong verification habits and security-aware workplace cultures.
A: Compliance-based training typically involves periodic courses designed to meet regulatory requirements. Human Risk Management goes further by continuously evaluating employee behavior, personalizing training, measuring risk levels, and building security habits into everyday workflows. HRM focuses on real behavioral change rather than simply completing training.
A: No. Employees are often described this way because attackers frequently target them, but they can also be the strongest defense. When organizations provide engaging training, supportive leadership, and clear processes, employees become active participants in detecting and stopping cyber threats.
About NINJIO
NINJIO’s human risk management platform reduces cybersecurity risk through personalized security coaching, engaging awareness training, and adaptive testing. Our multi-pronged approach to risk mitigation focuses on the latest attack vectors to build employee knowledge and the behavioral science behind social engineering to sharpen users’ intuition. Our simulated phishing and coaching tools build a proprietary Emotional Susceptibility Profile for each user to identify their specific social engineering vulnerabilities and change behavior.
