When was the last time your audience laughed with you during your security training? Injecting humor into your cybersecurity communication is a powerful way to connect with people on an emotional level and deliver messages that stick long after the giggles have died down.
Q: Why don’t penetration testers ever get locked out of their houses?
A: Because they always find a backdoor.
Groan all you like but know this: humor is a very effective way to reach your audience, whether you produce an emotional response or communicate on complex subjects. At ISC2 Security Congress 2025 in Nashville, James McQuiggan, CISSP, Security Awareness Advocate at KnowBe4 and Kevin Johnson, CISSP, CEO of Secure Ideas, co-presented Humor: An Unconventional Tool for Your Cybersecurity Programs to a packed house. Their presentation, peppered with asides and jokes, reinforced their message: incorporating humor into your cybersecurity communication works.
How It All Began
McQuiggan realized he needed to adjust his presentation style when the COVID-19 pandemic forced him out of the office and into a remote environment. During virtual meetings, he wasn’t receiving feedback and participants seemed disengaged. He realized that he needed to break up the monotony and find new ways of holding his colleagues’ attention.
Johnson added that cybersecurity professionals are often viewed as the “No!” people, a roadblock that employees don’t enjoy dealing with. Humor, he explained, can help break down that stigma, lighten the mood and make audiences more open to security messages.
Finding the Lighter Side
Johnson shared a story about a particularly rough night at a restaurant. Orders were getting mixed up, food was delayed and tensions were high. The server, recognizing this but unable to fix it, faced the problem head-on with humor. Each time she came to the table, she offered another witty remark about the situation. While she wasn’t able to solve the underlying problem, her humor changed the guests’ attitude, helping them see the lighter side of a situation beyond their control.
This same approach can work for cybersecurity awareness training. McQuiggan explained the science behind humor and why it works:
- Lowering Psychological Defenses – People might think of cybersecurity training as punitive or dull. They don’t expect it to be entertaining, so making it that way makes it a better vehicle for your messages.
- The Memory Connection – Laughter enhances memory. When people remember what made them laugh, they also remember the lesson that came with it.
- Breaking Down Complexity – Humor helps simplify complex ideas, making technical concepts easier for nontechnical audiences to grasp and it makes the message much more memorable.
Funny Penetration Testing
Humor can be very disarming, making people lower their guard and interact more informally. This can help tremendously in pen testing!
Johnson described a scenario where a pen tester calls the customer service department and uses humor to get the representative to reset the password on “his” account. The conversation starts like this: “Ha-ha, I’m so embarrassed to be asking you this, but I just can’t remember my password! Could you please help?” Humor is an unexpected addition to the conversation and can break the verification process when the representative connects with the caller on a human level.
Practical Applications
Using humor to get people to read and engage with your email campaigns can be very effective. When recipients know they’ll get a laugh as well as a valuable lesson, you may find they actually look forward to the next message.
Do your training modules just provide the facts? Are your presenters reciting scripts, unsmiling? If so, you might consider giving them a humor makeover. McQuiggan referenced Twist and Shout Media, which produces short safety films that use comedy to demonstrate what happens when basic cybersecurity practices are ignored. Training videos like these are funny, engaging and memorable—everything you could wish for in an educational program.
And when it comes to communicating up the chain in your organization, humor can be a great equalizer. Sharing a laugh makes both you and the recipient more comfortable, enabling clear and candid discussions you may need to have.
How to Get Started
McQuiggan and Johnson both recommend starting to inject humor into your presentations right away. Begin with a low-risk pilot program to see what works and what doesn’t, before investing in larger projects. Track your progress so you can objectively measure how your campaigns are performing.
There are many ways to deliver humorous messages. One example is a security team that placed posters on their company’s bathroom stall doors. The message was, “You’ll be getting an email from us soon. Please open it!” Another approach was putting stickers with cybersecurity messages, including bad puns, wordplay or other creative messages designed to grab attention and compel people to stay cyber safe.
It's important to remember that humor itself is not the message. Define the results you want your communications to achieve first, then define the message. After that, think about ways to make it funny.
What Not to Do
Humor can be highly subjective, so it’s important to be funny without crossing the line into poor taste. Avoid jokes at the expense of others, or humor that may not resonate with everyone. A good question to ask yourself is, “Why is this funny?”, from the audience’s perspective. If you can’t answer that, then the joke probably won’t land.
Ensuring your humor is inclusive, appropriate and culturally sensitive is essential. Self-deprecating humor can be effective when you’re unsure of the audience, since you’re only making fun of yourself.
Finally, timing is very important. Know when to be lighthearted and when you need to be serious. Johnson gave the example of a company that had laid off a large portion of its workforce. Afterwards, the security department sent a phishing exercise to the remaining staff that stated that, with payroll costs reduced, there was “extra cash” available if employees clicked a link. Unsurprisingly, nobody except for the sender thought it was funny.
Key Takeaways
Humor is a great way to communicate complicated ideas and things you want people to remember. It lowers the defenses of both you and the receiver of your message to facilitate discussion. And satire can expose flaws in a disarming way that’s makes people more willing to face them. McQuiggan and Johnson ended their session with this call to action: Make someone laugh about security this week. It’s not always a laughing matter, but if you can charge your communications with humor, you might find that your cybersecurity messages are more memorable and, importantly, put into action!
