What am I even doing here?

Setting the scene further.

May 03, 2026

As I already laid out, I'm not a very technically skilled infosec person. I did however dive into many a technical topic and highly benefited from the sharing by blogging mentality in the community. Be it vendor or personal blogs or micro-blogging ... I learned tremendously much by reading what other people put blood, tears and sweat into learning themselves and then sharing it at no cost with the world.

Now, I won't be able to share how to figure out strange software behavior with Wireshark or how to reverse engineer micro-controllers or how to set up your home lab. There's other people for that. But I read security professionals, and everybody else also, writing about "people are the weakest link", "stupid nick fell for a phish" or "well, that's just a layer 8 problem, I'm not dealing with that" and I just think this needs fixing.

An older man in suit and bowtie sitting on a glamorous couch with a younger woman in a blue dress. He is clapping his hands on his thighs and saying: oh hey now come on.let's not insult people please

Oh yeah, sorry, there's gonna be The Good Place gifs, I don't know what to tell you. That's just how it is. Or The Expanse gifs.

Back to topic: I don't think we have the leeway to rely on the user bashing. It is kind of mean, not helping and also not entirely true. I mean, we're all humans and making this whole computer-internet-cyber-stuff up but that's not the point either.

My point is: There are reasons people act/react/preact a certain way and cybersecurity has to find a way to deal with the underlying issues.

several people in a modern living room. an older man in suit and bowtie is apparently again writing on a blackboard: people = good

This has several repercussions for how we deal with the human element in infosec for different specialists and I'm all here for it.

Why the silly name?

Well, I do like the nerdy element of expanding the OSI model into the real userspace and I must confess that I, too, joked about those layer 8 problems. But I came to the conclusion, that in most cases layer 8 (human/people/user) problems are in fact layer 9 (organization/policy/process) problems. And even if the problems are really human problems, it falls on the organization to remediate this problem by policy and processes.

So why layer 8½? That's where I see myself. I'm the intermediary. I'm no CISO, I don't make the rules. But I'm also not just in user business. I do think, we have to take into account how humans, policy, people, processes work together entangle themselves, spin around and become that complicated mess that we kind of also are very used to because we are still just humans.

And I will try to draw the bridge between tech and people and policy and psychology and security and all that. It's going to be fun.

I hope you're going to join me on that way. Please do reach out, when I got things completely wrong.

I probably won't adhere to a strict schedule, since live and ... oh you get it. I will be posting, though. Until then: Take care.

Is this thing on?

Layer 8½

I'm a Security Awareness & Culture Specialist in the making. I am here to let you participate on my journey to understand how people, processes and tech can work together to achieve better cybersecurity. He/Him