The Swiss Cheese Model might sound like something you'd hear in Wallace and Gromit, not a cybersecurity briefing, but it’s one of the most useful ways to understand how risk works systems like schools:
Layers, holes, and how failures happen
First developed by psychologist James T. Reason, the model was originally used in industries like aviation and healthcare. It’s now a core concept behind defence in depth, a strategy just as relevant to school cybersecurity as it is to flight safety.
Here’s the basic premise:
-
Each layer = one layer of defence (e.g. Audits, MFA, endpoint protection)
-
Each hole = a vulnerability or gap in that layer
-
A breach happens only when the holes in all the layers line up, creating a clear path through the system
In cybersecurity, that means a threat usually has to pass through several imperfect defences to succeed. If just one layer stops it, the incident is prevented.
The approach is to add more layers, each reducing the risk and covering the potential holes in your defences.
How does this apply specifically to school systems and approaches?
Schools, like most other types of institutions/businesses, have a wide range of moving parts: people (staff and students), processes, devices, data, and systems. The Swiss Cheese Model gives us a simple way to understand how all those parts come together to either block or enable risk.
By stacking diverse, overlapping layers of protection, you reduce the chance of a single failure.
Cybersecurity incidents in schools rarely have a single point of failure. They often involve missed updates, mismanaged accounts, gaps in staff awareness, or unclear responsibilities for staff.
When one weak spot is left exposed, a threat can pass through. But, when systems are monitored, access is well managed, and people are trained and supported, those holes are far less likely to align.
That’s why the most resilient schools take a layered, system-wide approach, treating cybersecurity as something that touches every part of the organisation, not just the IT team.
What you should take away
Looking at your school’s cybersecurity through the Swiss Cheese lens helps shift the conversation in three essential ways:
No single control is foolproof, relying on just one product or policy isn’t enough.
Think about systems as a whole, not 'who to blame'... Most incidents aren’t about one person making a mistake; they’re about multiple weak spots combining.
Cybersecurity is a process; it isn't a silver bullet. It requires people, policy, technology, and governance to work together over time.
That means combining strategic, technical, human, and operational layers. Some holes will always exist. But when they don’t line up, and with enough layers, you increase your preventative measures with each action you take.
Every layer counts. Start with your first slice 🧀
If you want to build a more resilient, layered cybersecurity approach, that's where we come in!
Our platform and services are designed to provide practical defences that fit your budget, size, and level of risk.
A good starting point is cyber score, a free, self-paced auditing tool that benchmarks your school’s cybersecurity posture. It shows you where the holes are in your defence, with advice on which layers to add next.
You can learn more about cyber score here.
