Cybersecurity Strategy

Kindness, Trust, and Zero-Trust

Human-centered security for EU/NIS2: how kindness, psychological safety, and zero-trust cut MTTR, boost phishing reporting, and strengthen breach communications.
Ev
Evangeline
Nov 12, 2025
Kindness, Trust, and Zero-Trust
Contents
Human-Centered Security for ResilienceTL;DRWhy “verify without humiliation” is a security control (not a slogan)Building a blameless IR culture (with guardrails)Kindness in breach communications (and why it reduces harm)Real-world signals that resonate with boards & CISOsTemplates you can adapt (EU/health & public services)Measuring the human layer (so it survives audits)The leadership askSources & further readingCall to action

Human-Centered Security for Resilience

Author: Derick Smith (CEO)
Date: November 10, 2025

TL;DR

“Trust but verify” only works if people feel safe to tell the truth fast. Blameless culture and empathetic breach comms aren’t “soft”—they’re control surfaces that lower MTTR, improve reporting quality under NIS2, and protect citizens and patients. Evidence from organizational science, EU guidance, and real incidents shows why kindness + zero-trust is a winning security architecture. (SAGE Journals)

Why “verify without humiliation” is a security control (not a slogan)

  • Psychological safety ⇒ faster learning and better performance. Classic research by Amy Edmondson shows teams that feel safe admitting mistakes surface issues earlier and learn faster—exactly what you want during incidents. (Massachusetts Institute of Technology)

  • Phishing exploits speed + shame. In the 2024 Verizon DBIR, the median time for a user to fall for a phishing email was under 60 seconds. If the first emotion after a mis-click is fear, you lose precious minutes and high-fidelity reporting. Build a no-blame, report-now reflex. (Verizon)

  • EU regulators expect evidence, not heroics. Under NIS2, entities must implement risk-management measures and keep auditable incident timelines (awareness → early warning → 72h notification → final report). A humane culture produces better records and earlier escalation. (Digital Strategy)

Bottom line: People move the needle first—technology second. You can’t automate your way out of a blame culture.

Building a blameless IR culture (with guardrails)

What “blameless” actually means: We assume good intent, capture facts, publish timelines, and focus on system fixes—not personal blame. This is standard practice in high-reliability engineering (see Google SRE’s postmortem culture). (Google SRE)

Five moves to implement this week:

  1. Define postmortem criteria up-front. When do we write one? What gets reviewed? Who signs off? (Template + checklist.) (shaunabram.com)

  2. Make “report-now” a policy. Reward immediate disclosure of suspected phishing, data mishandling, or misconfigs—remove shame from the equation. DBIR’s sub-60-second stat means minutes matter. (Verizon)

  3. Instrument the truth. Auto-stamp awareness, actions, outcomes in IR/SOAR so teams don’t “edit the past” under pressure; this also streamlines NIS2 submissions. (ENISA)

  4. Separate accountability from punishment. Assign clear owners for fixes without performative blame. Publish action items and due dates—then track them. (Google SRE)

  5. Practice cross-border coordination. ENISA emphasizes EU-level crisis procedures—know who calls whom across Member States and suppliers. Tabletop it. (ENISA)

Kindness in breach communications (and why it reduces harm)

The UK ICO’s guidance is explicit: acknowledge what happened, be human and accessible, and explain concrete steps to reduce harm for people—especially vulnerable groups. That isn’t PR; it’s risk reduction that limits follow-on fraud and complaint volume. (Information Commissioner's Office)

What good looks like (checklist):

  • Plain-language notice (no jargon) with exact data types affected.

  • Next steps the individual can take (freeze, fraud watch, new credentials).

  • Direct channels (email + hotline) staffed to actually help—measured SLOs.

  • Update cadence (e.g., every 48–72h until closure).

  • Link to regulator guidance for credibility and self-help resources. (Information Commissioner's Office)

Real-world signals that resonate with boards & CISOs

  • Healthcare is a prime EU target. ENISA’s health TL shows providers (53%)—especially hospitals (42%)—bear the brunt; ransomware dominates. Patient safety is not theoretical. (ENISA)

  • Breach costs remain high—and AI adds new risks. IBM’s 2025 report pegs the global average cost around $4.44M, with AI-related and “shadow AI” incidents emerging as new cost drivers. Culture and governance shrink dwell time and legal exposure. (IBM)

  • Kindness ≠ weakness. Public regulators now encourage empathetic comms because it measurably reduces harm—and yes, you still meet the 24h/72h/1-month NIS2 clocks. (Information Commissioner's Office)

Templates you can adapt (EU/health & public services)

1) “Verify without humiliation” micro-playbook (phishing):

  • Auto-reply to reported phish: “Thanks—this is exactly what we want. You helped protect others.”

  • One-click mailbox sweep + user notification for confirmed campaigns.

  • Weekly “Thank-you wall” for first reporters (no names if you prefer privacy).

  • KPI: Reporting-to-click ratio and time-to-first report (DBIR shows speed wins). (Verizon)

2) Empathetic breach notice (patient/customer):

  • Opening: “We’re sorry. Here’s what happened, what we’re doing, and how we’ll help you.”

  • What data, when, and what it means for you.

  • Steps we’ve taken (revoked tokens, reset credentials, engaged regulators).

  • Steps you can take; free support offered (e.g., credit monitoring).

  • Update cadence + contact details + regulator links. (Information Commissioner's Office)

3) Blameless post-incident review (90 min):

  • Facts timeline (auto-stamped).

  • Contributing factors (systems/process, not people).

  • 5 “fixes that stick” with owners & dates.

  • Share the write-up broadly; normalise learning. (Google SRE)

Measuring the human layer (so it survives audits)

Track these human-centered lagging/leading indicators:

  • Time-to-first report (phish/misconfig) and report-to-click ratio (higher is better). (Verizon)

  • Postmortems completed & reviewed (% incidents with action items closed). (Google SRE)

  • Empathy SLOs in comms (inbound response time, case resolution time). (Information Commissioner's Office)

  • NIS2 timeline hits (% on-time early warning, 72h, final report). (Digital Strategy)

The leadership ask

Kindness is not “nice to have.” It is a control that increases disclosure speed, improves evidence quality, and protects the public when things go wrong. Couple it with zero-trust tech (MFA/passkeys, JIT access, least privilege) and blameless rigor (SRE-style postmortems), and you get a culture that ships resilience—on purpose.

Sources & further reading

  • Psychological safety & team learning: Edmondson, Administrative Science Quarterly (1999). (Massachusetts Institute of Technology)

  • Phishing speed & behaviour: Verizon DBIR 2024 executive summary (sub-60s median to fall for phish). (Verizon)

  • NIS2 overview & obligations: European Commission NIS2 page; ENISA risk-management guidance. (Digital Strategy)

  • Blameless postmortems: Google SRE book & workbook. (Google SRE)

  • Empathetic breach comms: UK ICO guidance & updates. (Information Commissioner's Office)

  • Health sector threat landscape (EU): ENISA 2023 report. (ENISA)

  • Breach costs & AI angle: IBM Cost of a Data Breach 2025; coverage and summaries. (IBM)

Call to action

Download our Human-Centric Breach Comms Kit (templates + SLOs + checklists).
Want a blameless IR workshop tailored to your EU/NIS2 obligations? Book a 30-minute session: https://clients.trescudo.com/form1

Kindness + Zero-Trust isn’t soft. It’s how resilient organizations learn faster, report better, and protect people.

Share article

Trescudo Blog

RSS·Powered by Inblog