Severance: what the hit show can teach us about cyber security and human risk

What if your work self didn’t know about your personal life, and your home self had no idea what you did for a living? In Apple TV’s Severance, that’s exactly the deal: a surgical procedure splits the memories of employees into “innies” (who only exist at work) and “outies” (who never recall what they do from nine to five).

On the surface, it sounds like an ideal solution to a growing cyber security problem of insider threats, such as leaks or sabotage by employees. After all, if an employee can’t remember what they accessed at work, how can they leak it, sabotage it, or sell it?

As someone who has researched insider threats for the last decade I can’t help but see Severance as a cautionary tale of what happens when we try to eliminate threats without understanding people.

The threat from within

Insider threats really hit prominence in the wake of high-profile incidents like Chelsea Manning and Edward Snowden, who both leaked top secret government information. These threats are one of the most persistent challenges in security because unlike “traditional” hackers, insiders already have access to sensitive systems and information.

They might act maliciously, stealing trade secrets or exposing data, or accidentally, through phishing links or lost devices. Either way, the consequences can be more serious because of the unprecedented levels of access someone has while working within an organisation.

While we often think of the high-profile cases in the first instance, the reality of most insider incidents is far less dramatic. Think of the disgruntled employee who downloads a client database before leaving, or the well-meaning staff member who shares a sensitive file via the wrong link.

In fact, one of the most iconic examples of an insider threat in fiction is Jurassic Park. The entire catastrophe begins, not with a dinosaur, but with a software engineer, Dennis Nedry, who disables the park’s security in an attempt to steal trade secrets. It’s a reminder that even the most sophisticated systems can be undone by a single rogue employee.

Organisations try to manage this through access controls, behaviour monitoring and training. But people are unpredictable. Insider threats sit at the messy intersection of human behaviour, organisational culture and digital systems.

This is where Severance strikes a chord. What if you could eliminate the human risk altogether, by turning employees into separate, tightly compartmentalised selves? In the show, workers at the shadowy Lumon Corporation have no memory of their job outside the office and vice versa.

In a sense, it’s the ultimate form of “need to know.” An “innie” can’t tell anyone what they do because they don’t know anything beyond their desk. It’s a very elegant, although ethically problematic, solution for someone working in security. However, as the series unfolds, it becomes clear that the levels of control on offer through the process of severance come with a terrible cost.

The problem with control

The innies in Severance are trapped in an endless workday, unable to understand the meaning or value of their tasks. They form bonds, question authority and ultimately rebel. Ironically, it is the severed employees, the ones who are most closely controlled in the company, who become the greatest insider threat to Lumon.

This mirrors something we know from real organisations: excessive surveillance, control and secrecy often backfires. For instance, Amazon has faced repeated criticism over its use of tracking technologies to monitor warehouse workers’ movements and productivity, with reports suggesting this has contributed to high stress, burnout and even rule-breaking as workers try to “game” the system.

A 2022 study published in Harvard Business Review found that employees who feel overly monitored are significantly more likely to break rules or engage in counterproductive behaviour – undermining the very goals of workplace surveillance. If people feel undervalued or mistreated, they’re more likely to become disengaged or actively hostile. Security systems that ignore culture and trust are therefore often brittle.

What Severance gets right is that insider threats are emotional and ethical problems as much as technical ones. They stem from how people feel about their role, their autonomy and their identity within a system. This is something that we can’t simply patch within a piece of software.

Lessons from fiction

Thankfully, no company in the real world is proposing surgical memory separation, at least not yet. But in an age of algorithmic management, increasing surveillance, and growing concerns about privacy, Severance resonates. It forces us to ask just how far should we go in the name of security?

The answer isn’t to separate people from their work, but to build systems that are secure and respectful of the people within them; something increasingly backed by research.

That means better design, clearer boundaries and a workplace culture that values openness, not just compliance. For example, implementing clear expectations around work hours and communication norms can help prevent burnout and promote wellbeing.

Encouraging open communication channels, such as anonymous feedback systems, empowers employees to voice concerns without fear, fostering a culture of trust. Additionally, designing physical workspaces that promote collaboration, like open-plan areas and communal lounges, can enhance team cohesion and reflect organisational values.

If we follow the example set by Lumon and try to remove all risk then we lose something far more essential – the humanity at the centre of our systems and organisations. Ultimately, removing that human focus could be the most significant vulnerability of all.

This article is republished from The Conversation under a Creative Commons license. Read the original article.