Cybersecurity often feels like a battle of technologies—firewalls, AI, monitoring tools, but at its core, it’s human. People are both the first line of defence and, more often than not, the most vulnerable point. On a recent episode of Security Strategist, Richard Stiennon spoke with Nicole Jiang-Gibson, Chief Executive Officer of Fable Security, about why traditional training doesn’t work and how understanding human behaviour can fundamentally change an organisation’s security posture.

Humans are the Weakest Link

Nicole’s journey in cybersecurity began long before Fable. She was an early member at Abnormal Security, where she helped build email security solutions. That experience exposed a recurring truth, and that was even the best technical safeguards can be undone by human error.

“Human error is really the number one cause at the beginning of cybersecurity incidents,” Nicole explains. “Phishing attacks are the number-one starting point—one click, one misstep, and suddenly the consequences are massive.”

She recalls the MGM Resorts breach as a turning point: an IT help desk employee took a phone call from someone impersonating an Okta admin, leading to a major security lapse. “Even with strong email defences, people were exposed in ways technology couldn’t prevent. That’s when I realised that this was a human problem we needed to solve.”

Seeing Security Through the Attacker’s Eyes

Fable Security’s approach is rooted in understanding both the employee and attacker behaviour. Nicole describes it almost like a conversation at both sides of the table.

“Looking at security from the attacker’s perspective changes how organisations design interventions,” she says. Employees often don’t even realise which actions put them at risk. By understanding predictable behaviours, we can build targeted, timely interventions instead of generic training modules that people forget.”

The company leverages data to identify risky behaviours and reinforce safe ones. Richard notes that this can turn the math of phishing attacks in an organisation’s favour, reducing the likelihood of a click from 40 per cent to 2 per cent, for example, meaning attackers have to try 50 times to succeed once.

Reinforcement Not Punishment

One of the major differences in Fable’s approach is how they treat learning. Traditional phishing simulations can leave employees feeling tricked or shamed. Fable focuses on reinforcement and repetition, creating a culture where security is part of everyday decision-making.

“We empower organisations with data to understand how employees behave and then help them stay one step ahead of attacks,” Nicole explains. “It’s not just about preventing business loss, it’s about protecting culture, brand, and employee safety.”

By shifting the focus from blame to understanding and from generic training to targeted behavioural interventions, organisations can finally address the human factor in cybersecurity with the seriousness and nuance it deserves.

For more information, visit fablesecurity.com

Takeaways

  • Cybersecurity is not just about technology; it's about people.
  • Traditional training often fails to change behaviour effectively.
  • Human errors are the leading cause of cybersecurity incidents.
  • Fable Security focuses on understanding and changing human behaviour.
  • The threat landscape is constantly evolving, requiring adaptive solutions.
  • Organisations must view security as a supportive, not punitive, measure.
  • Phishing simulations can be harmful if not conducted ethically.
  • Building trust with employees is essential for effective security training.
  • Employees can serve as valuable sensors for identifying threats.
  • Meaningful behaviour change requires a shift in mindset and approach.

Chapters

00:00 The Human Factor in Cybersecurity

01:11 Fable Security's Origin Story

04:23 Understanding Human Vulnerabilities

06:01 The Attacker's Perspective

08:29 Fable's Ad Tech Approach

12:04 Revolutionising Security Training

14:37 The Ethics of Phishing Simulations

19:42 Building Trust in Security Training

22:56 Empowering Employees as Sensors

27:40 Steps Towards Meaningful Behaviour Change