This is one of the main things we cover in all of our security awareness training. Yes, breaching data is worst case scenario and can be devastating to individual users, but it’s often the brand that takes the hardest hit.
You’re missing the point. It’s not to show that the brand is more important than user data, it’s to show that security events are multifaceted. You want employees to avoid making mistakes that lead to security events. Showing all the ways those events can fuck things up is the point.
Well, all problems are multifaceted. If I had to take trainings about how not to spill toxic waste in local rivers, I would not find it appropriate to mention damage to the brand either even though the brand certainly would suffer from such an event.
I think inherently we're all pretty selfish (for better or worse). I'd guess that saying "we can see the from the past that the brand is damaged enough to cause XX% layoffs/go under" - as in an implicit 'this kind of thing will have real life consequences to your job' - probably has more impact than saying "there are real world consequences to people you have and are never likely to meet". Not saying it's right, but it's probably true.
