The Doorman Fallacy - Complete Framework for UK Businesses
This episode is brought to you by Authentrend, providing biometric FIDO2 security solutions that make MFA actually work for small businesses. Check them out at authentrend.com/smallbizcyberguy
We're going to talk about why your business is probably destroying value whilst congratulating itself on efficiency gains.
I spent my holiday reading marketing books on a beach. I know, I know, pathetic. But buried in Rory Sutherland's Alchemy was a concept that finally gave me the words to describe every stupid decision I've watched clients and employers make for the last four decades.
It's called the doorman fallacy. And once you see it, you can't unsee it.
What Is The Doorman Fallacy?
Imagine you're a consultant analysing a five-star hotel. You watch guests enter, greeted by a uniformed doorman who opens the door. You think: that's inefficient.
The doorman's job is opening doors. We can replace him with an automatic door mechanism. Save £35,000 a year in salary, benefits, holidays, sick pay.
Brilliant efficiency gain, right?
Wrong. Catastrophically wrong.
The automatic door opens perfectly. Functions exactly as specified. Guests can enter just fine.
But something changes. The hotel stops feeling quite so luxurious. Bookings gradually decline. Revenue drops.
The Hidden Functions
Because the doorman wasn't just opening doors.
He was hailing taxis, recognising regulars, and providing visible security. Carrying bags when guests struggled. Answering questions about local restaurants. Signalling that this establishment cares enough about service to employ a human rather than install an automatic door.
The doorman's notional function was opening doors. His actual value came from dozens of other things you couldn't easily measure or quantify.
The consultant defined his role too narrowly, optimised for efficiency, and accidentally destroyed far more value than the £35,000 salary cost.
This is the doorman fallacy: defining roles by their obvious, measurable function whilst missing the invisible value that makes them actually worth having.
Why This Matters For Cybersecurity
I've been in this industry for 40 years. I've seen this pattern repeat endlessly:
Someone views security costs through a narrow efficiency lens. Defines its role as just the obvious bit. Cuts it to save money. Misses all the invisible value. Watches everything fall apart. Spends 10 times the "savings" fixing what they broke.
And they never learn. Because they still don't understand what they actually destroyed.
Let me show you five examples. I guarantee you'll recognise your own business in at least three of them.
Example One: Security Training Cuts
Picture this: CFO's office, budget meeting, someone's highlighting costs that don't generate direct revenue.
"We're spending £15,000 annually on security awareness training. What do we get? Some slides about phishing emails that people ignore anyway. The open rate on our last training module was 42%. We're paying £35 per employee for content they don't watch."
Sounds reasonable, doesn't it?
Here's what they're actually cutting:
The training's notional function is "teaching people about phishing." Its actual value includes: normalising security conversations so staff feel comfortable reporting suspicious activity without fear of looking stupid. Creating a shared vocabulary so that when someone says, "that looks like a phishing attempt," others understand immediately. Building institutional memory about what attacks look like so employees recognise patterns across different attack vectors. Providing legal and regulatory cover, demonstrating due diligence, and establishing baseline expectations so you can reasonably discipline staff who deliberately ignore protocols.
Cut the training, save £15,000.
Then watch what happens.
Staff stop reporting suspicious emails because they're embarrassed about "bothering IT with nothing." You miss the initial reconnaissance of a major breach because no one flags the credential-harvesting attempt. The breach escalates for six weeks before detection. Recovery costs £180,000. GDPR investigation finds inadequate staff training. ICO fine: £50,000.
Total cost of your £15,000 saving: £230,000.
And you still haven't factored in reputational damage, customer churn, or the subsequent premium increase on your cyber insurance. Assuming you still have cyber insurance after this incident.
According to the 2025 Cyber Security Breaches Survey, 43% of UK businesses experienced breaches in the past year. The average cost per business was £1,600, rising to £3,550 when you exclude zero-cost responses.
But here's the exciting bit: only 19% of businesses overall conduct cybersecurity staff training and awareness activities. For large companies, it's 76%, but they're still being breached.
Is your business cutting training to save money? You are about to become statistics.
Example Two: MFA Removal
"Multi-factor authentication is creating friction. Login times increased by 30 seconds. Staff complaints are constant. It's impacting productivity. Let's make it optional for internal systems."
The notional function of MFA: adding an extra authentication step.
The actual value of MFA:
Protecting against credential theft from infostealer malware, which, according to KELA Cyber's 2025 analysis, has created an epidemic of stolen credentials. Blocking account takeover attempts using passwords leaked in third-party breaches. Preventing lateral movement after initial compromise of a single account. Signalling to staff that accounts are valuable targets worth protecting. Demonstrating security posture to customers, partners, and insurers. Maintaining compliance with Cyber Essentials Plus and other certification requirements. Reducing blast radius when (not if) an employee's personal device gets compromised.
Remove MFA, save the 30 seconds per login.
Then the British Library happens.
In October 2023, the British Library suffered a ransomware attack that compromised most of its online systems. The ICO's statement on the incident was crystal clear: the attack "escalated because of the lack of multi-factor authentication on an administrator account."
The library's own cyber incident review explained they'd considered MFA for their on-premise servers but decided against it "for reasons of practicality, cost and impact on ongoing Library programmes."
The cost of that decision?
£6-7 million in recovery costs. That's 40% of their entire financial reserves. Services disrupted for over a year. 600GB of staff data dumped on the dark web. Reputation damaged. Systems destroyed.
They saved maybe £50,000 by not implementing MFA properly. It cost them £7 million.
That's the doorman fallacy in action.
And before you say "but we're not the British Library," remember: 85% of businesses that experienced breaches cited phishing as the attack vector. Phishing leads to credential theft. Credentials without MFA protection are ransomware welcome mats.
Example Three: Cyber Insurance Cancellation
"We've had cyber insurance for three years. Never claimed. That's £8,000 annually we're throwing away. Cancel it."
The notional function of cyber insurance: paying out when you're breached.
The actual value of cyber insurance:
Access to incident response retainer services before you need them. Pre-negotiated rates with forensics firms, legal counsel, and PR specialists. Regulatory guidance through GDPR notification requirements. Business interruption coverage whilst you recover. Ransom payment funding if you decide that's necessary. Legal defence costs for data protection enforcement actions. Third-party claims coverage when your breach affects customers. Insurance-mandated security improvements that actually prevent breaches. Annual security assessments identifying vulnerabilities before attackers do.
Cancel the insurance, save £8,000.
Then ransomware hits.
No incident response plan because you never needed one without insurance requirements. No pre-negotiated forensics rates, so you're paying premium emergency rates. No legal guidance on GDPR notification, so you get the timing wrong and face additional penalties. No business interruption coverage, so the week of downtime comes straight out of revenue. No ransom payment funding, so you're scrambling to access Bitcoin whilst your systems are encrypted. No legal defence budget for the ICO investigation, so you settle quickly and pay more.
Total cost of breach without insurance: £75,000. Plus reputational damage that's impossible to quantify.
Cost of the insurance you cancelled: £8,000 annually. You saved three years of premiums before the breach. That's £24,000. The breach cost you £75,000 plus reputation damage.
Net result of your "efficiency saving": -£51,000.
And good luck getting insurance after a breach. If you can even find a provider willing to cover you, expect premiums to triple.
Example Four: IT Staff Replacement ("Dave from IT")
We've covered this before, but it bears repeating because it's the most common doorman fallacy I see.
"Dave from IT costs us £45,000 annually. All he does is reset passwords and run backups. We can replace him with a ticketing system and cloud backup service for £12,000. That's £33,000 in savings."
The notional function of Dave: password resets and backups.
The actual value of Dave:
Institutional knowledge of which workarounds exist and why. Vendor relationships built over years of dealing with the same support teams. Crisis judgment about which issues need immediate escalation. Understanding of which systems are actually business-critical despite not being documented that way. Tribal knowledge of historical decisions and why specific configurations exist. Ability to recognise patterns across seemingly unrelated incidents. Personal relationships with key users to ensure problems are reported early. Context for evaluating new tools and services. Translation layer between technical reality and business expectations.
Replace Dave with a ticketing system, save £33,000.
Then everything falls apart.
The ticketing system can't explain why the CRM integration keeps failing on the third Tuesday of every month. The cloud backup service doesn't know that the accounts database needs manual intervention before backing up. The help desk can't tell you which vendor to call when the phone system dies. The automated monitoring doesn't recognise that this specific error pattern means the payment processor is about to crash.
Systems fail. Revenue stops. Customers leave. You hire an MSP at £80,000 per year to handle what Dave used to handle. They don't have Dave's institutional knowledge, so they rebuild everything from scratch. That takes six months and costs another £50,000 in consulting fees.
Total cost of replacing Dave: £130,000 in year one, then at least £80,000 a year for the durartion of the contract.
You saved £33,000 by firing Dave. It cost you £130,000 to learn what Dave actually did.
According to the 2025 Cyber Security Breaches Survey, board-level responsibility for cyber security has declined from 38% of businesses in 2021 to just 27% in 2025. That means fewer people at the decision-making level understand what security functions actually provide.
Which means more businesses are about to make Dave-style mistakes.
Example Five: Vendor Relationship Cuts
"This MSP charges £3,000 monthly. Their competitor offers the same service level agreement for £1,800. Switch providers."
The notional function of your MSP: maintaining systems per SLA.
The actual value of your MSP:
Understanding of your specific business operations and peak periods. Knowledge of historical incidents and solutions that worked. Relationships with your staff are built through repeated interactions. Context for evaluating whether new issues are urgent or routine. Investment in learning your specific environment and quirks. Trust was built through successfully handling previous crises. Integration knowledge across your entire technology stack. Motivation to maintain a relationship rather than to fulfil a contract.
Switch to a cheaper provider, save £14,400 a year.
Then the new provider demonstrates why they're cheaper:
No context for your business, so they treat every issue identically. No historical knowledge, so previously solved problems get investigated from scratch. No relationships with your staff, so communication breaks down. No investment in understanding your environment, so changes break unexpected dependencies. No trust, so staff work around IT rather than with it. No integration knowledge, so system updates cascade into failures—contract-focused mentality, so they do exactly what's specified and nothing more.
Response times increase. System stability decreases. Staff productivity drops as IT becomes an obstacle rather than an enabler. You're paying £14,400 less but losing £50,000 in reduced productivity and increased downtime.
Net result: -£35,600.
Plus, you've destroyed the relationship with a provider who actually understood your business. Good luck getting them back when you realise your mistake.
The Pattern
See the pattern?
Every example follows the same structure:
Someone identifies a cost with an obvious, measurable function
They define the role narrowly based on that obvious function
They find a cheaper alternative that performs the obvious function
They cut the original, congratulate themselves on efficiency
Everything that wasn't obvious disappears
Things fall apart in ways they didn't anticipate
They spend multiples of their "savings" fixing what they broke
This isn't hindsight bias. This is pattern recognition built from four decades of watching businesses make identical mistakes with identical results.
The Root Cause
Why does this keep happening?
Because visible costs are easy to measure, invisible value is impossible to quantify until it's gone.
CFOs love measurable efficiency gains. "We reduced IT staffing costs by 30%" looks brilliant in a board report. "We maintained institutional knowledge and crisis response capability" sounds like making excuses for bloat.
Security training completion rates are measurable. The number of breaches prevented by trained staff recognising attacks is unknowable.
MFA login friction is quantifiable in seconds. The value of credentials not being stolen is impossible to calculate until they're stolen.
Insurance premiums are line items in budgets. Insurance value is theoretical until the crisis hits.
This asymmetry between measurable costs and invisible value creates a systematic bias toward cutting what actually matters.
How To Avoid The Doorman Fallacy
Right, enough horror stories. How do you avoid making these mistakes?
Ask better questions before cutting costs:
What's the notional function (the obvious, measurable role)? What's the actual value (everything else it provides)? What happens if this fails or disappears? What's the cost of being wrong about this decision? Who benefits from this cost cut? Who bears the risk if this backfires?
For any security cost you're considering cutting:
What's our current breach detection time? (UK average in 2025: 42 days with AI/automation, 64 days without) What's our current breach cost estimate? (UK average: £1,600 per business, £3,550 excluding zero-cost responses) What's the probability of a breach? (43% of UK businesses in the past 12 months) What's the expected cost of this cut back-firing? (Multiply probability by cost, add 3x multiplier for things you haven't anticipated)
If the expected cost exceeds your savings, don't cut it.
If you can't calculate the expected cost because you don't understand what you're cutting, definitely don't cut it.
The Insurance Principle
Here's the brutal truth: security spending follows insurance principles.
You spend money on things hoping you never need them to work. When they work perfectly, you never see the value because nothing bad happens. The absence of disaster is invisible.
Until disaster strikes. Then you learn exactly what you were paying for.
Training that prevents breaches is invisible. Training that would have prevented breaches becomes glaringly obvious after the breach.
MFA that blocks credential theft is invisible. MFA that would have blocked credential theft becomes painfully clear when you're paying £7 million in ransomware recovery.
Insurance that covers breach costs is theoretical until you're breached without insurance and facing £75,000 in uncovered expenses.
The Current UK Landscape
Let's talk specific numbers for UK businesses in 2025.
43% of businesses experienced breaches in the past 12 months. That's down from 50% in 2024, primarily due to fewer micro and small businesses experiencing phishing attacks. But medium businesses (70%) and large businesses (74%) remain heavily targeted.
Average breach costs: £1,600 per business overall. For cyber-facilitated fraud (where breaches led to fraudulent activity), average cost jumped to £5,900, rising to £10,000 when zero-cost responses were excluded.
Only 19% of businesses conduct security training. Only 27% have board-level responsibility for cybersecurity (down from 38% in 2021). Only 42% seek external information or guidance on cybersecurity.
Translation: Most businesses are cutting the exact things that would prevent them becoming statistics.
Ransomware doubled from under 0.5% of businesses in 2024 to 1% in 2025. That's a 100% increase in prevalence.
The businesses experiencing cyber crime averaged 30 incidents over the past year. Median was 4 incidents.
This is the environment in which businesses are cutting security spending to improve efficiency.
What This Means For Your Business
If you're reading this thinking "we haven't been breached, so our security spending is wasted," you're about to learn an expensive lesson about survivor bias.
If you're reading this thinking "we can't afford proper security," you definitely can't afford a breach.
If you're reading this thinking "this won't happen to us," you're statistically wrong: 43% chance it already happened in the last 12 months, you just don't know it yet.
The average time to identify and contain a breach in the UK is 190 days without AI/automation. That's over six months of an attacker having access to your systems before you notice.
What damage can attackers do in six months of undetected access?
The Psychological Trap
The doorman fallacy persists because it feels intelligent.
Identifying inefficiency feels like good management. Finding cost savings feels like business acumen. Quantifying obvious functions feels like rigorous analysis.
And when things fall apart, you can always claim "we couldn't have known."
Except you could have known. The pattern is consistent. The examples are everywhere. The statistics are clear.
You chose not to know because knowing would have meant keeping the cost you wanted to cut.
Breaking The Cycle
Want to stop making doorman fallacy mistakes?
Change how you evaluate security spending:
Don't ask "what's the measurable function?" Ask "what happens if this fails?" Don't ask "can we do this cheaper?" Ask "what's the cost of being wrong?" Don't ask "what's the ROI?" Ask "what's the cost of the alternative?"
Run thought experiments before cutting costs:
"We cut security training. Six months later, we're breached because an employee clicked a phishing link they would have recognised with training. What's that cost?"
"We remove MFA. Three months later, credentials are stolen and used for ransomware deployment. What's that cost?"
"We cancel cyber insurance. Next year, we're breached and face £75,000 in recovery costs without coverage. What's that cost?"
If you can't calculate the downside cost, you shouldn't make the cut.
Final Warning
I've been doing this for 40 years. I've seen every variation of the doorman fallacy you can imagine.
And I'm telling you: the businesses cutting security costs right now are going to learn expensive lessons about invisible value over the next 12-18 months.
The threat landscape is escalating. AI-powered phishing is more sophisticated. Ransomware attacks have doubled. Supply chain compromises are increasing. Average breach costs are rising.
This is possibly the worst time in history to cut security spending.
But businesses will do it anyway. Because visible costs are politically easier to cut than invisible value is to defend.
And in 12 months, I'll be writing case studies about another wave of businesses that destroyed themselves whilst congratulating themselves on efficiency gains.
Don't be one of them.
The doorman does more than open doors. Your security training does more than show slides. Your MFA does more than add friction. Your insurance does more than sit unused. Your IT staff do more than reset passwords. Your vendor relationships are more than line items.
And you won't understand what they actually provided until they're gone and everything falls apart.
Stop replacing doormen with automatic doors. Start understanding what you're actually paying for.
Your business depends on it.
| Source | Article |
|---|---|
| Gov.UK | Cyber Security Breaches Survey 2025 |
| ICO | Statement on British Library's 2023 ransomware attack |
| British Library | Learning Lessons from the Cyber-Attack: Cyber Incident Review |
| IBM Security | IBM Report: UK Sees Drop in Breach Costs as AI Speeds Detection |
| KELA Cyber | Understanding the Infostealer Epidemic in 2025 |
| Industrial Cyber | UK Cyber Security Breaches Survey 2025 reveals persistent threats |
| Micro Pro | Top 10 Cybersecurity Threats Facing UK Businesses in 2025 |
| Rory Sutherland | Alchemy: The Surprising Power of Ideas That Don't Make Sense |
