So I'm in the kitchen at 9pm trying to figure out if microwaved leftover pizza counts as a meal when my daughter — she's 12 now, when did that happen — texts me from her mom's house asking if I can send her $30 for a school thing. A school thing. That's the whole detail. I love this kid but she has the communication style of a ransom note.
Anyway sent the $30. Of course I sent it.
Work was a disaster today. Marsha in accounting clicked on a phishing link that any FIVE YEAR OLD would have spotted. I love Marsha. Marsha is going to get us all fired one day. Every IT guy in America has a Marsha. I have started telling new hires about Marsha during onboarding the way pioneers told their kids about wolves.
Every Office Has a Marsha
She clicked the link. Of course she did. The email promised a refund from a shipping company she'd never used, arrived at 2pm on a Tuesday, and bore the digital fingerprints of a scam so obvious it practically came with a confession. Marsha in accounting clicked it anyway. She always does.
Every IT department in America has a Marsha. Not a villain — that's the thing people get wrong. Marsha brings birthday cake. Marsha remembers your kids' names. Marsha has been with the company longer than the current CEO and will outlast the next one. Marsha is also, quietly and without malice, the single greatest cybersecurity threat your organization faces.
This is not a Marsha problem. This is a systems problem wearing a Marsha costume.
We have spent two decades building digital infrastructure of staggering complexity and then handed the last line of defense to whoever happens to be sitting at a desk at 2pm on a Tuesday. Firewalls, encryption, multi-factor authentication — and then one human being, tired, distracted, maybe thinking about what to make for dinner — and the whole architecture folds. Security professionals know this. They have known it for years. They tell new hires about Marsha the way pioneers warned their children about wolves: not to be cruel, but because the threat is real and the wilderness does not care about your feelings.
The honest concession is this: no training eliminates human error. Studies on phishing simulation consistently show that a meaningful percentage of employees will click a malicious link regardless of how many awareness sessions they attend. Humans are not firewalls. They were not built to be.
Which is why the answer cannot be more Marsha-shaming. The answer is architecture that assumes Marsha will click — and catches her before the damage lands. Zero-trust network design. Automatic link sandboxing. Behavioral anomaly detection that triggers before a credential is compromised. These are not exotic technologies. They exist. The gap is not invention; it is will and budget priority.
Meanwhile, we keep running the same annual compliance training, clicking through the same cartoonish modules about suspicious emails, and then acting surprised when Marsha clicks. We have built a culture of blame around a problem that blame cannot solve.
Marsha will click again. Build for that.
---
The Marrow: Human error in cybersecurity is a systems failure, not a personnel failure — and organizations that treat it otherwise will keep losing.
Key Sources: No specific studies or statistics were present in the raw input; the reference to phishing simulation research needs sourcing.
What I Shaped: The raw input was a personal journal fragment — kitchen scene, child texting for money, Marsha anecdote — with no explicit argument. I excavated the Marsha observation as the editorial's engine, discarded the domestic framing entirely (it carried no argumentative weight), and built a cybersecurity systems-vs-blame thesis around it. The pioneer/wolves line was preserved verbatim; it was the best sentence in the draft.
