Episode Overview
In this episode, Corina Hernandez-Muñoz, Head, Cyber Behaviour and Culture, Enterprise Information Security (EIS), Export Development Canada challenges one of the most common assumptions in cybersecurity: that testing people and measuring their failures is the best way to strengthen the “human firewall.” Instead, she argues that sustainable cyber-secure behaviour comes from understanding how people actually think, learn and react under pressure.
Drawing on her experience reshaping EDC’s cybersecurity programme, Corina explains why emotional connection, psychological safety and trust are essential to building a resilient security culture. By shifting from a model that audits mistakes to one that supports learning, her team reframed cybersecurity as a shared responsibility — creating stronger engagement, better reporting behaviours and measurable improvements in security outcomes.
Key Themes
This conversation explores the growing movement toward human-centred cybersecurity, where culture, behaviour and user experience are treated as core elements of defence rather than secondary considerations. Corina explains how traditional awareness programmes often focus heavily on compliance metrics — such as training completion or phishing simulation results — without truly measuring whether behaviour will hold in real threat scenarios.
By designing programmes that connect cybersecurity to employees’ personal lives, reinforcing positive behaviours and creating environments where people feel safe to ask questions or report incidents, organisations can build stronger instincts and more resilient responses to evolving cyber threats.
What You’ll Learn
Why Traditional Cyber Training Often Falls Short
How shame-based training models can unintentionally discourage learning and reporting.The Science Behind Behavioural Security
Why emotional and psychological engagement strengthens memory, retention and secure decision-making.Making Cybersecurity Personally Relevant
How connecting security practices to employees’ everyday lives — from family safety to holiday scams — increases engagement.Shifting from Testing to Supporting
How reframing phishing simulations and training programmes can build pride and collective responsibility instead of fear of failure.Rethinking Security Metrics
Why compliance measures like training completion rates don’t necessarily reflect real behavioural change.Designing Security Around Human Behaviour
How controls such as password policies must account for how people actually remember and interact with systems.The Role of AI in Human Risk Management
Why automation will increasingly detect threats — but human judgement, confidence and instinct will still determine how organisations respond.
Key Takeaways
Cybersecurity culture matters as much as technology
Emotional engagement strengthens security behaviours
Psychological safety improves reporting and learning
Security controls should reflect real human behaviour
Human judgement remains essential in an AI-driven threat landscape
Why You Should Listen
This episode offers a powerful perspective on why cybersecurity transformation must include behavioural design and cultural change. For security leaders, digital executives and public sector organisations, it provides practical ideas for building programmes that strengthen both technology defences and the people who rely on them.
Help your peers
Share what you've learned with fellow public servants
