Embarrassingly Secret: When the Culture of Silence Becomes Security's Greatest Vulnerability

Within Swedish administrative law and information security, references to legislation are part of everyday life. But there is a marking that has begun circulating in the corridors of both public authorities and private companies — a worn, black stamp bearing text that cuts straight through the professional jargon:

 

CLASSIFIED – Without basis in Chapter 15, Section 2 of the Public Access to Information and Secrecy Act (2009:400) – OF FUNDAMENTAL IMPORTANCE TO THE MAINTENANCE OF THE ILLUSION – EMBARRASSINGLY SECRET. Disclosure of this document will be handled with considerable delay.

 

This stamp, created by the consultancy firm Securebyme, appears at first glance to be a sharp piece of satire on Swedish administrative bureaucracy and the eternal search for scapegoats. But behind the humorous façade lies a brutal truth about modern cybersecurity. It is a diagnostic marking for a deeply dysfunctional security culture.

 

The Public Access to Information and Secrecy Act (OSL), Chapter 15, Section 2, protects information relating to defence secrecy — information whose disclosure can be assumed to damage Sweden’s defence capability or otherwise pose a threat to Sweden’s security. But when the metaphorical stamp “Embarrassingly Secret” is applied to a decision, a vulnerability, or an incident, it is not about national security. It is about protecting the reputations of individuals or management, concealing technical debt, or maintaining a fragile illusion of perfect control. This culture of silence is not merely an administrative failure — it constitutes one of the most critical, hidden attack surfaces in today’s digital ecosystem.

The Silent Threat: What Science Says About Hidden Incidents

The notion that cybersecurity is solely about technical defence is a dangerous oversimplification. Empirical research shows that the human and organisational factor is directly decisive for an organisation’s real resilience. The silence symbolised by the “Embarrassingly Secret” stamp is, in fact, a global threat.

According to recent studies in information security and organisational theory:

  • 40% of all known security incidents in global organisations are never reported to internal management.
  • 40% of security personnel stay silent about discovered vulnerabilities or incidents out of fear of personal or career-related consequences.
  • Up to 88% of all data breaches stem from human decisions or actions made under pressure, yet the willingness to report these is undermined by social fear.

When an employee or a manager chooses to conceal a mistake, the attacker is handed an invaluable gift: time. Time for a hostile actor to move freely within an organisation’s network before being detected. When fear of embarrassment or punishment leads to incidents being covered up, this window of time grows dramatically. What began as a simple click on a phishing link on Monday transforms into a full-scale ransomware catastrophe by Friday — because no one dared to sound the alarm.

Just vs. Blame Culture: An Organisational Theory Choice

The theory of just culture, originally formulated by Professor James Reason within aviation safety, emphasises that mistakes are almost always symptoms of systemic failures rather than the incompetence of individuals.

 

According to Reason, there are three types of cultures:

 

  1. Blame culture: Characterised by a punitive default stance. When an error occurs, the question asked is: “Who did this and how should they be punished?” In this environment, the instinct for self-preservation becomes the employee’s strongest driving force, leading to mistakes being stamped “Embarrassingly Secret” and concealed.
  2. No-accountability culture: A culture where no mistakes or violations ever carry consequences. This creates a dangerous lack of personal accountability and undermines respect for security policies.
  3. Just culture: A balanced model in which a clear line is drawn between honest human error and deliberately reckless behaviour or sabotage. Honest mistakes are treated as valuable information for improving the system, while deliberate rule violations are handled with clear accountability.

Table 1: Organisational Theory Comparison of Security Cultures

Cultural dimension

Question when error occurs

Employee behavior

Management’s reaction

Risk awareness

Security outcome

Blame culture

Who caused the problem?

Cover-ups and silence

Punishment and scapegoating

False illusion

Increased vulnerability

Just culture

What went wrong in our system?

Proactive reporting

Analysis and system improvement

Realistic understanding of risk

Rapid incident response

Psychological safety as an indicator of incident reporting

A central component of just culture is psychological safety, a concept popularised by Harvard professor Amy Edmondson. It is defined as a climate in which individuals feel it is safe to take social risks — to ask questions, report errors, or challenge decisions without risking being ridiculed, punished, or labelled as incompetent.

The Illusion vs. Real Security Culture

Dimension

Primary focus

Response mechanism

Role of leadership

Security metrics

Consequence

Maintaining the illusion

Avoiding negative publicity

Blame and deleted logs

Concealing deviations upward

“All green” dashboards

Accumulated security debt

Psychological safety

Detecting root causes

blame-free learning

Demonstrating vulnerability

Cognitive resilience

Robust resilience

Psychological safety is the single strongest independent indicator of employees’ willingness to report incidents. Traditional theories such as the Theory of Planned Behaviour (TPB) — which focus on subjective norms and perceived control — are insufficient to explain reporting behaviour unless combined with psychological safety and Organisational Citizenship Behaviour (OCB). Psychological safety is the primary determinant of whether an employee actually reports a discovered risk or not.

Security theatre: when appearances are everything

When an organisation lacks psychological safety and just culture, genuine security work is often replaced by what security analyst Bruce Schneier calls security theatre. It is defined as measures designed to create a visual or cognitive sense of safety, but which do little or nothing to actually reduce real risk.

 

Security theatre frequently arises as a result of cognitive biases within leadership:

 

  • Optimism bias: The belief that the catastrophes befalling other organisations will not strike one’s own, leading to satisfaction with superficial controls.
  • Authority bias: Blindly trusting that a checklist or a generic compliance report means the organisation is secure.
  • Urgency bias: Under time pressure, choosing the most visible solution (e.g. purchasing a new tool) rather than undertaking the difficult cultural change that is actually required.

The “Embarrassingly Secret” stamp is the logical endpoint of security theatre. When the façade cracks and an incident occurs, the priority becomes not to minimise the damage or learn from the mistake, but to cover up the event in order to protect the theatre that so much has been invested in building.

In-Depth case studies: when the Illusion collides with reality

To understand the catastrophic consequences of silence culture and cover-ups, we must analyse three historical events where the “Embarrassingly Secret” mentality was put to the ultimate test.

 

Case Study 1: Uber and Joe Sullivan — Cover-Up as Criminal Act

 

In October 2016, attackers discovered AWS access keys that one of Uber’s software developers had accidentally left in a private GitHub repository. Using these keys, the attackers were able to download a database containing the personal data of 57 million Uber users and 600,000 driver’s licence numbers. The attackers then contacted Uber’s then-Chief Security Officer (CSO), Joe Sullivan, and demanded a six-figure ransom.

 

Rather than reporting the incident to the Federal Trade Commission (FTC) — which at the time was already investigating Uber over a previous security breach from 2014 — Sullivan made the decision to stamp the incident “Embarrassingly Secret.” Sullivan took the following active cover-up measures:

 

He directed the payment of $100,000 in Bitcoin to the hackers through Uber’s official bug bounty programme, despite the programme being intended solely for benign security researchers who had discovered vulnerabilities — not for extortionists who had stolen data.

 

He compelled the hackers to sign a non-disclosure agreement (NDA) falsely claiming that they had not accessed or downloaded any personal data.

 

He actively edited the draft incident report his team had prepared, deleting all references to the fact that sensitive user data had been stolen.

 

When Uber’s new CEO, Dara Khosrowshahi, took office in 2017 and discovered the cover-up, Sullivan was immediately dismissed and the incident was reported to the authorities.

 

In October 2022, Joe Sullivan was convicted in federal court in San Francisco of obstruction of justice and concealment of a federal crime. The verdict marked the first case in history in which a corporate executive was held personally criminally liable for the handling of a data breach. Uber was forced to pay a settlement of $148 million to 50 US states for the delayed disclosure. The case demonstrates with alarming clarity that: the attempt to conceal what is embarrassing is almost always more destructive than the underlying problem itself.

 

Case Study 2: The Swedish Transport Agency — New Public Management and the Culture of Derogations

 

One of Sweden’s most high-profile IT scandals took place at the Swedish Transport Agency in 2015 and illustrates how a systemic “culture of derogations” can emerge under administrative pressure.

 

In 2015, the Transport Agency outsourced its IT operations to IBM. The objective, strongly shaped by New Public Management (NPM) ideals of efficiency and cost savings, demanded an extremely tight timeline. The agency did not carry out the necessary analyses and assessments of what information was held in its databases and how sensitive it was, on the grounds that doing so would take too long and that the agency had nothing worth protecting beyond its driving licence production. On this basis, the agency outsourced to IBM and their foreign technicians, who required administrative privileges to manage the environment.

These databases contained, among other things, information from the road traffic register, individuals with protected personal data, and classified information relating to qualified protected identities.

 

Rather than escalating the problem to the government or halting the project — which would have shattered the political and administrative illusion of a successful, time-efficient undertaking — Director General Maria Ågren and Deputy Director General Jacob Gramenius made several formal so-called “derogation decisions.” These decisions constituted deliberate, documented departures from applicable legislation, including the Security Protection Act.

Academic research by P. Svärd (2019) at Södertörn University shows how the outsourcing and NPM ideals overrode fundamental democratic principles such as transparency and accountability. Svärd describes how a deep-rooted “culture of derogations” had developed within the Transport Agency over an extended period, in which laws and internal guidelines were regularly set aside during procurement processes in the pursuit of short-term efficiency. Trade union representatives testified that derogations were so commonplace that they had become normalised within the organisation.

 

When the cover-up was finally exposed in 2017, it led to Maria Ågren’s dismissal, a summary fine for negligent handling of classified information, and one of the most serious political crises in modern Swedish history, resulting in the resignation of several ministers and state secretaries. What was handled internally as a necessary tactical decision was in reality a national security risk concealed behind a curtain of silence.

 

Case Study 3: Coop and the Kaseya Attack of 2021 — The Contrast Through Transparency

 

In the summer of 2021, the grocery chain Coop was struck by one of the most extensive cyber incidents in Swedish history. The ransomware group REvil exploited a vulnerability in the VSA remote management tool from software supplier Kaseya. Coop’s point-of-sale provider, Visma Esscom, used this tool, which resulted in Coop’s checkout systems being encrypted in a supply chain attack. More than 800 stores were forced to close immediately as customers were unable to pay.

 

Coop’s management faced a choice: attempt to conceal the full extent of the problem, enter into quiet negotiations with REvil, or play with open cards. They chose complete, immediate transparency. They went to the media that same evening, explaining exactly what had happened, that they had been affected through a subcontractor, and that they refused to pay the $70 million ransom.

 

It took six days to reopen the first stores and six weeks before the entire IT environment was fully restored. But by refusing to stamp the crisis “Embarrassingly Secret,” Coop not only managed to retain public trust — they transformed a potential PR disaster into a textbook example of resilience and transparent crisis leadership.

The Securebyme method: eliminating fear from the organisation

Tobias Ander highlights in his book Information Security Culture that we live in a complex and unpredictable world. In complex environments, there are no linear, simple solutions. As economist Nassim Nicholas Taleb has noted: “Avoiding small mistakes makes the large mistakes more painful.”

 

When an organisation attempts to maintain a perfect façade, employees are forced to conceal small mistakes. But these hidden mistakes do not disappear — they accumulate into a growing security debt that sooner or later leads to a systemic collapse. Forced silence conceals the weak signals that precede every catastrophe.

 

There are three foundational pillars we must build our work upon in order to dismantle the “Embarrassingly Secret” culture:

 

1. Move decision-making to where the information is

 

Drawing inspiration from submarine captain David Marquet, Tobias Ander emphasises the importance of decentralising authority. Traditional hierarchies require information to be moved up to the authority for a decision, creating bottlenecks, delays and opportunities for cover-ups. By instead moving decision-making down to where the information actually resides — where employees are — personal accountability and transparency increase. The employee becomes an active sensor, not a passive recipient of policies.

 

2. Establish a blame-free learning climate

 

To eliminate social fear, leadership must formalise a blame-free response to incidents. When an error occurs, the investigation focuses on how the system, processes and timeframes allowed the mistake to happen, rather than searching for a scapegoat. This dramatically lowers the threshold for reporting.

 

3. Vulnerability in leadership as the norm

 

Culture is shaped by the behaviours that leaders reward and themselves model. If you as a leader pretend to have all the answers and never acknowledge mistakes, you signal that vulnerability is a weakness. This compels the rest of the organisation to conceal their own shortcomings. Leaders must be willing to show vulnerability and openness about their own mistakes in order to give others permission to do the same. “If you as a leader think you have all the answers — stop. Because you will be wrong.”

 

Conclusion: Tear Apart the Illusion — Build Real Security

 

Cybersecurity can never be built on illusions. If your organisation hesitates to report incidents, if managers conceal risks from the board out of fear of reprisals, or if deviations are handled with “considerable delay,” you are sitting on a ticking bomb.

 

It is time to put aside the invisible “Embarrassingly Secret” stamp once and for all. By replacing fear with psychological safety, and by treating every mistake as an invaluable source of learning, we can build organisations that are genuinely robust. It is in the honest decisions — the decisions we make when no one is watching — that our true resilience is forged.

 

Would you like to know whether your organisation is carrying a culture of silence? Securebyme helps you look beneath the surface of your decisions, measure actual psychological safety and build an information security culture that is real — beyond the illusions.

 

(Interested in a real stamp or some stickers to put on your laptop — get in touch with us!)