IP Security For Broadcasters 2026 – The Psychology Of Security
As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security. But as the boundaries between traditional broadcast engineering and IT continue to dissolve, the first port of call in designing any secure system should be to consider the user.
To truly understand the vulnerabilities encapsulating computer security, we must consider the motivations of one very specific group: users. Users are often considered insecure by IT security departments, and consequently they are subjected to some rather draconian measures to “make them secure”. However, cybercriminals do understand how users think and no matter how secure a system, they use their knowledge of human psychology to gain the upper hand.
Phishing emails are well documented and understood by IT professionals. Attackers send very convincing emails to unsuspecting users asking them to click on a seemingly inconspicuous link. From there, details such as passwords and user IDs are easily within the grasp of the cybercriminals, and the rest is history. If the user procrastinates then the attackers use time pressure techniques to cajole them into making impromptu decisions to further the attackers’ cause.
Draconian Password Policies
Another example of vulnerability is a direct consequence of the password policy of the company. This may include forcing the user to provide complex passwords containing obscure characters, a mix of capitals and numbers, or just generally difficult to remember strings of characters. Forcing reset policies on users certainly achieves the goal of keeping passwords new, but this usually causes users a great deal of stress, especially if they’re working in a highly pressured broadcast environment with only minutes before a live program is broadcast.
Although active password management looks like an ideal technical solution, it’s far from a practical operation for users. Given a complex password that changes frequently, what does the user do? They write down their password! A password that is technically complex and mathematically un-hackable, suddenly becomes a vulnerability. And the more passwords and IDs a user requires, the more they write down and the more vulnerable the system becomes, especially if they’re not used very often.
Ease Of Use Paradox
It’s clear that a contradiction occurs with computer security. A system that is easy to use is invariably insecure, and a system that is very secure is difficult to use. Unfortunately, users demand easy-to-use systems, especially at times when stress levels are high.
Another complication is the user’s own perception of their threat to the company based on their understanding of the value of the data they have access to.
A user who has access only to email will probably not understand the dangers they could place the company in if they clicked on a phishing email or were to inadvertently share their login credentials. An attacker may even access their emails to find other admin-type users to help them form another part of the puzzle, and the user wouldn’t even know they had been looking at their emails.
Adhering to company policies may seem straightforward in itself. The bullet points are quite clear, and the board has signed-off the hundred-page document IT has spent weeks, if not months, designing. The directive makes perfect logical sense and provides the highest theoretical security standards possible. However, for users to embrace the security directive they must understand the threats that are posed and the part they play in negating them. Just providing a list of instructions, without context, is unlikely to encourage full user engagement.
User Context And Responsibility
In part, one solution is to promote understanding through training. Telling somebody not to click on a link in an email or telling them not to write their password on a post-it-note and leave it under their computer keyboard may make perfect logical sense, but from the view of the user, the instruction may seem relatively trivial and irrelevant.
The fundamental challenge we have is that most people cannot think like cybercriminals, mainly, because they are not criminals and do not have a criminal mindset. Why, for example, would you cover the credit card pay machine when entering your pin number in a restaurant? Not necessarily because somebody sat behind you could be craning their neck to see your pin number, but instead, what about the HD security camera in the ceiling? How do you know there isn’t an unscrupulous employee watching in the back room and writing down your pin number? Or how do you know somebody hasn’t hacked the WiFi and is viewing the camera from the comfort of their car outside?
Social media is playing an increasingly important role in the lives of many people. We share all kinds of information about our families and friends that we would probably never do in any other surrounding. Also, the lines between home and work life are being blurred, at least in a social media sense, leading to the opportunity for a cybercriminal to profile users and gain information that wouldn’t otherwise be available. Not only can this be used to hack into home accounts, but more importantly for the cybercriminal, it is a potential portal into the domain of the user’s company leading to the possibility of much greater pickings to further the attackers’ financial or political aims.
Criminal Mindsets
Cybercriminals have one fundamental advantage over the rest of us to further their cause, they’re willing to do things we won’t, and their actions are sometimes so abhorrent that we wouldn’t have thought about them in the first place.
Giving users context and understanding of the capabilities of a cybercriminal is critical to building secure systems.
Complacency provides massive potential for security breaches, even for IT professionals and broadcast engineers. Computer servers are gaining more traction in broadcast workflows and with that comes the potential for security breaches.
Although firewalls and virus scanners may make us feel confident about security, seemingly inconspicuous broadcast processing systems can be a source of vulnerability unless adequately protected, especially those running on old or out-of-date operating systems. Keeping a username and password to “admin” and “admin” may be convenient, as everybody in the engineering department can easily access the server, but it’s like leaving an open door for a cybercriminal with a big signpost on it. The firewall should stop them gaining access to the network, but if there’s a fault or unknown vulnerability, then they can scan servers in seconds to find any obvious holes.
Emotional Thinking First
Cybercriminals are often happy to play a waiting game. If they find a vulnerability they can exploit, they don’t necessarily do anything other than wait. Maybe create a password and username or install a process with a time activation in it, but they have time on their hands and just lie in wait.
Providing users with a list of instructions telling them what they need to do isn’t a long-term solution against cybercrime. To maintain full engagement requires IT system designers to think more about psychology and human emotion. They must put themselves in the shoes of the user and understand why having to change passwords, including WiFi access, is such a big deal for users, especially if they are working in high-pressured environments such as a live broadcast facility.
Security As Behavior, Not Technology
A common mistake in system design is to treat security as a purely technical problem. Firewalls, encryption, access control lists and monitoring systems are all essential components, but they do not, on their own, create a secure environment. Security is ultimately a behavioral system, and like any system that depends on human interaction, it is only as strong as the habits it encourages.
In broadcast environments this becomes especially critical. Engineers and operators are frequently working under extreme time pressure, where the primary goal is to keep a live service on air. In these moments, security is not the priority, continuity is. If a system prevents a user from doing their job quickly, they will find a way around it. This is not negligence; it is a rational response to the incentives placed in front of them.
For example, if accessing a critical system requires multiple authentication steps that introduce delay, users may share credentials or leave sessions open to avoid repeated logins. If file transfers are restricted, they may resort to personal devices or unapproved cloud services to move content quickly. Each of these actions bypasses carefully designed controls, not because the user is malicious, but because the system has failed to align security with operational reality.
This highlights a fundamental principle: users do not break security; poorly designed systems do. When security mechanisms are misaligned with how people actually work, they create friction. That friction is then removed by the user, often in ways that introduce far greater vulnerabilities than the original problem.
Designing For Real Behavior
To address this, security must be designed around real workflows rather than idealized ones. This means observing how systems are used during normal operation, but more importantly, during failure conditions. It is in these edge cases where behavior diverges most significantly from a broadcaster’s IT security policy.
In a live broadcast scenario, consider what happens when a piece of equipment fails minutes before transmission. The priority is immediate recovery, not compliance with security procedures. If access controls slow down intervention, they will be bypassed. If systems are too rigid, engineers will rely on workarounds that persist long after the incident has passed.
Effective security design anticipates this. It provides mechanisms that are both secure and fast, ensuring that in high-pressure situations, the secure path is also the easiest path. This may include role-based access that reflects actual responsibilities, temporary privilege escalation with auditing, or simplified authentication within trusted environments.
Another important aspect is feedback. Users need to understand the consequences of their actions in a meaningful way. Abstract warnings about “security risks” are often ignored, but clear, contextual feedback tied to real-world outcomes is far more effective. For example, demonstrating how a compromised email account can lead to broader system access makes the threat tangible rather than theoretical.
From Compliance To Culture
Ultimately, the goal is to move away from a compliance-driven model of security towards a culture-driven one. Compliance relies on enforcement and assumes that users must be controlled. Culture, on the other hand, relies on understanding and shared responsibility.
In a strong security culture, users are not the weakest link, they are an active part of the defense. They recognize suspicious behavior, question unexpected requests, and understand the importance of the systems they interact with. This does not happen through documentation alone, but through consistent messaging, practical training, and systems that reinforce good behavior.
For broadcasters, this shift is particularly important as workflows continue to move towards IP-based infrastructure. The boundaries between traditional broadcast engineering and IT are dissolving, increasing both capability and exposure. Without a corresponding shift in how security is perceived and implemented, vulnerabilities will continue to emerge in unexpected places.
Security, therefore, is not something that can simply be installed or enforced. It must be designed, communicated, and embedded into the way people work every day.
Supported by
You might also like...
Standards: Audio - Advanced Audio Coding (AAC)
AAC succeeded MP3 by delivering better quality at lower bitrates. This guide examines how it works, compares the leading encoder implementations, and explains where it sits within the broader MPEG audio standards landscape.
Broadcast Standards - The Science Of AI: New Foundations
We begin this series with the foundational building blocks of AI. Basic principles, the technology stack and the types of AI based upon it, and how to apply them effectively in a broadcasting enterprise.
IP Security For Broadcasters - The Book 2026
Security is everyone’s problem. It is not just about having the right policies in place or knowing where the vulnerabilities in your network are; it’s about understanding how the network is accessed and by whom, and how to str…
Standards: Audio - MPEG Layer 3 Audio Coding (MP3)
Launched in 1995, MP3 remains one of the most ubiquitous audio formats in the world. This guide explains how psychoacoustic compression works, explains the differences between MPEG-1 and MPEG-2 implementations, and finds out where MP3 works – and where it doesn’t.
Network Traffic Engineering: Head-Of-Line Blocking - Why QUIC Changes The Rules
Head-of-line blocking turns minor packet loss into visible glitches by stalling entire TCP streams until missing data is retransmitted. Eliminating cross-stream blocking by multiplexing independent streams over UDP, QUIC might be the answer for OTT delivery, cloud workflows and the…