Lucy Davies, the summer 2025 RISCS doctoral intern, has drawn upon the expertise of the wider RISCS community to put together a critical response to the BBC Panorama documentary Fighting Cyber Criminals. In this blog, Lucy explores the impact of the programme on public understanding and its engagement with cyber security.
Key Takeaways
- The documentary deserves credit for making cybercrime accessible in a constrained format and for offering rare access to NCSC operations.
- The documentary portrays hackers as omnipotent and cyber security as the domain of elite ‘spies’; such mythologising may discourage the general public and small and medium-sized enterprises (SMEs) from taking practical cyber security actions themselves.
- The framing of ransomware as purely financially motivated represents an oversimplification and ignores other rationales (e.g., activism, espionage, disruption).
- The psychological burden on cyber security professionals is glamorised rather than realistically portrayed, missing an opportunity to raise awareness of burnout and human-centred issues at the heart of incident responses.
- While seemingly targeted towards a primary audience of business owners and members of the general public, the documentary offers little in the way of clear, empowering advice—potentially leaving viewers confused and disengaged.
- Experts highlight the need for inclusive language and demystification to support national cyber resilience.
Proposed Actions
- Produce a follow-up episode or companion content focused on practical cyber security advice tailored to specific audiences (e.g., SMEs, parents, older adults).
- Showcase cyber security educators and everyday security practices to help normalise and humanise digital safety.
- Reframe cyber security in media communications to reduce fear-based storytelling and foster a sense of agency and relevance among key audiences.
- Encourage policymakers and media outlets to collaborate on public-facing cyber literacy initiatives using responsible and accessible language.
Blog
Spies. Warfare. Detonation. You’d be forgiven for thinking the subject of this blog was a James Bond film. Today, we’re discussing the recent BBC Panorama documentary ‘Fighting Cyber Criminals’ (available on iPlayer). For this opinion piece, we got in touch with academics, business owners, politicians, and journalists to get their take on the documentary and examine this question: Just what will the public take away from this Panorama special?
The Positives
Firstly, let’s commend the Panorama producers for the positives. A half hour slot is very limiting if you want to truly explore the intricacies of cyber crime and to bring this to the general public in an accessible way is a challenge indeed. Programmes formatted like Panorama, we are told, are ‘conceived, commissioned, researched, filmed and edited in a matter of weeks’, which gives very little time for holistic considerations to be made. This is a difficult topic, and one that most people have little or no personal experience of, making it a courageous move to bring this to a general audience on a primetime evening television slot. Additionally, it was impressive that the programme producers managed to gain entry to interview and film with the National Cyber Security Centre (NCSC), giving a fascinating peek behind the scenes on what is often an invisible layer of defence around the country. Although it is understandable (as an understatement) that individuals at the NCSC often need to work under the radar, being able to humanise the people behind the screens was important for the audience to understand how this organisation functions.
The documentary included other ‘humanising’ elements, such as the moment when the boss of a transport company stated he would not identify the employee who had been unwittingly responsible for the breach that eventually caused the downfall of the company. As Dr. Oishee Kundu (postdoctoral research associate at Cardiff University and RISCS Associate Fellow) observes, the idea that ‘humans are the weakest link’ is unhelpful because ‘humans are the only link (who else is there?)’.
The Hackers
However, there the human focus of the documentary ends and the mythologising tropes take over. A number of common myths of cyber security are perpetuated in this documentary, especially the idea that hackers are all-powerful and making moves too complex for regular people to be able to do anything about. The more people believe in the despotism of hackers, the less likely they are to feel they can hold agency and take steps to protect themselves. The less they protect themselves with basic cyber hygiene, the more capable hackers become, because there are fewer obstacles in their way. The myth becomes reality.
Let’s briefly break down the notion of myth to really get under the hood of why these kinds of narratives are problematic. Roland Barthes (humanities scholars may feel a shiver down their spines at this point) was a French literary theorist active in the 20th century. One of his areas of work was the semiotics (or meaning-making) of myth. He writes about myth that it ‘hides nothing: its function is to distort’. Breaking it down a little more, there are two elements at play in mythologising. There is the signified or the literal ‘thing’, contrasted with the signifier, the myth or perception of the ‘thing’. In our scenario, the signified ‘hacker’ is just a person who has access to a computer, as most of us do, but chooses to use that access to attempt to conduct criminal activity. That doesn’t seem too scary in those terms. The problem is when—as Reid Skibell puts it in his 2002 article, ‘The Myth of the Computer Hacker’—we ‘locate the gap’ between the signified (the actual computer criminal) and the socially constructed signifier of the hacker. Within this gap we find an amplification of the perceived power of the hacker, an increase in their mystique, and a swift decline in the social understanding of our ability to do anything about it. The real image of the person sat with a computer is well and truly distorted.
This discussion of the semantics of cyber mythology isn’t just confined to this post. RISCS Advisory Board members Dr Ola Michalec and Simon Shiu are leading the Cyber Security Growth Action Plan; Ola explained that one of the aims of this work is ‘to highlight the role of language in cultivating community-oriented visions of cyber security’, whether in the context of ‘inclusive product development or mass adoption of publicly funded digital technologies’. The criticality of the language we use to discuss cyber is very much on the agenda for policymakers and will be reflected in future iterations of the National Cyber Strategy. The narratives we tell about cyber security, the words we use, really matter.
Is perpetuating the hacker myth useful for the public? You won’t be surprised to hear our answer is a resounding ‘no’. Berta Pappenheim, founder of CyberFish and another RISCS Advisory Board member, argued that ‘this narrative actively undermines public cyber resilience’:
When people believe cyber security is someone else’s job requiring mystical expertise, they become psychologically disengaged from their own cyber safety and organisational preparedness. I think the documentary’s spy thriller approach creates psychological distance precisely when we need engagement and personal relevance.
Real cyber resilience comes from making good cyber security practices feel normal and accessible, not extraordinary. When we mystify cyber security rather than demystify it, we inadvertently increase anxiety while reducing the practical actions people feel capable of taking.
Distorting the true nature of cyber security in this sense, then, reinforces a myth that risks actively harming the country’s engagement with attempts to improve our national security posture. If cyber security educators are Sisyphus, pushing the public towards better understanding, trope-filled documentaries kick that boulder further down the hill.
The Spies
The documentary’s mythologising of hackers doubled down by adding in superhero-adjacent ‘spies’, represented here as the only people qualified to ‘fight’ against the fabled omnipotence of the hackers. The interviewee (or ‘spy’, using the documentary’s own terms) repeated that they find the work ‘thrilling’. This may well be the case for this individual—or for some others, some of the time. However, a recent article found that more than half of security analysts have considered leaving the field due to burnout. Alert fatigue—that is, the ‘desensitization and exhaustion’ that analysts experience—can mean that these overworked analysts can fail to respond appropriately to threats due to cognitive overload. One filmmaker we spoke to said that the people in these analyst roles are sometimes described as ‘child soldiers’, referring to the fact that it is usually young entry level workers who occupy these roles and that they endure high levels of psychological stress. Calling attention to this during the documentary could have had a powerful impact upon how people understand the behind-the-scenes work of cyber security: less thrill-seeking, more high-stress digital drudgery. If the documentary was designed for the attention of business owners, a peek behind the curtain of a security operations centre (SOC) to show the lived realities could have started conversations on how things could be improved in the sector.
The Crimes
Inevitably, perhaps, the documentary included some over-simplification of complex problems. For example, it stated that ’ransomware is a purely financially motivated crime’. This was followed by discussions about plans to stop payments—suggesting that by ensuring businesses and critical national infrastructures (CNIs) don’t pay ransoms, the problem is solved…right? An issue of supply (money) and demand (ransoms) would be fixed through legislation. Only this month, the UK government has proposed that CNIs will be ’banned from paying ransom demands to criminals‘ in order to ‘smash the cybercriminal business model’.
Unfortunately, this is a simplistic take on a complex issue (and an interesting prospective legislative manoeuvre from the government). Not all individuals demanding ransoms are led by solely financial motives. NotPetya famously hit Ukraine (amongst other countries), encrypting data and demanding ransoms, but it wasn’t really about money, or even data; rather, ‘it was an act of war’. Environmental concern groups like Just Stop Oil are known for their disruptive efforts to draw attention to human-caused climate change. If a group with social concerns wanted to draw attention to a problem that is otherwise ignored, wouldn’t a disruptive ransomware attack provide a more significant impact than a street-based protest? Attacking to shut down the operations of a company is likely to cost it an average of £1.46 million to fix and can crash its share price through reputational damage—as illustrated by Capita’s steadily declining value since its March 2023 breach.
A 2022 research paper identified seven motivations for cybercrime ranging from the abovementioned financial and ideological reasons to curiosity, notoriety, revenge, recreation, and sexual impulses. Banning CNIs from paying ransoms is unlikely to address all of these rationales. The documentary’s focus solely on the financial motives for cybercrime may go some way to being useful for business owners, but oversimplifies the reasons for attacks.
The Audience
Who was this episode of Panorama really aimed towards? The answer that seems most obvious is SME owners in the UK. They are the most likely to be attacked by ransomware (according to this documentary) and should probably be doing something about it. Something, yes—but what? I won’t be alone in feeling somewhat despairing by the end of the documentary. After all, if only the ‘spies’ can beat the omnipotent ‘hackers’, and if we see one of Britain’s oldest businesses taken down by a single unsafe password, what hope is there for the ‘regular people’? For the owner of a local recruiting company, or a chip shop, or a taxi firm? What about an education company with 200 employees but no real IT department? What about local councils who have to make cuts to social care, and definitely can’t afford expert security consultancy? We have had our attention grabbed and it feels like a call to action is needed, but the state in which the programme leaves its audience seems to be a combination of powerlessness and even hopelessness.
We’ve seen the risks, the pitfalls, the horror stories—but now what? ‘Fighting Cyber Criminals’ could see a sequel: ‘Defending Yourself Against Cyber Criminals’. There are some incredible people out there (some featured in this blog) who could be invited in to give short bursts of advice. This could even be split into advice for different groups—such as parents, business owners, older people (to name just a few)—and pitched so as to give the public practical steps and agency to help them keep themselves safe online. Delete a man’s phishing email and he doesn’t get attacked for a day; teach a man not to get phished, and…well, you get the point. Reducing the mystique and the mythology, as well as the shame and stigma of not knowing what to do about cyber security (whilst pointing to reputable sources for answers), will only help enhance our cyber resilience as a nation.
We don’t need more James Bond narratives or sensationalising tropes in cyber security. We need tangible, relatable, actionable advice. This documentary told the first half of the story. We see the ‘villains’ and the threat they pose, as well as the ‘spies’ and the overwhelming burden of responsibility they carry. Now show us the rest of the narrative: the ‘ordinary people’ empowered to feel safe in their digital world, knowing what to do when things go wrong or don’t seem right, knowing who they can turn to—and knowing that they can be their own ‘heroes’.
Lucy Davies
Postgraduate Researcher, Cyber Security (Cyber Secure Everywhere) CDT, University of Bristol
RISCS doctoral intern, summer 2025