I'm really excited to see the security awareness community begin to develop and mature. Organizations are realizing that technology can only go so far, they have to address the human factor. As a result, we are seeing security awareness go beyond just compliance and focus on changing behavior, to have an impact and ultimately reduce human risk. To accomplish this requires a number of different skills, backgrounds and expertise. Examples include human behavior, risk analysis, project management, marketing, communications, metrics and e-learning technologies. Obviously no one individual can have such a wealth of expertise, we have to work with and learn from our peers. Listed below (in no particular order) is a round-up of blogs focusing on the human element. As this field continues to grow I'll add more over time.
- Social Engineering: Chris Hadnagy and his team are doing some great work on the psychology involved in socially engineering people. Chris and his team also lead the "Capture The Flag" Social Engineering event at Blackhat every year. This is a good source for learning about the root of the problem.
- Wombat Securities: Wombat focuses on phishing and originally started their work based on research at Carnegie Mellon University. They have some great academic research papers posted in their resources section.
- MAD Security: Mike Murray and his team are passionate about securing the human element and have a strong focus on the behavioral side. In fact Katrina Rodzon recently joined the team, her degree is in Human/Cognitive Behavior.
- Compliance & Privacy: Rebecca Herold focuses on the compliance and privacy issues of security awareness. While our goal is to take awareness beyond compliance, it is important to ensure we are always still compliant.
- ThreatSim: One of the newer kids on the block focusing on the phishing side. Very active blog.
- KnowBe4: A security awareness company that focuses on going beyond just compliance and focusing on changing behavior. Stu Sjouwerman and his team have some great ideas and maintain an active blog.
- PhishMe: One of the very first companies specializing in phishing education and resources.
What are some other resources that we should be including? It does not have to be security related, as I'm sure other industries are also attempting to change behaviors and which we could learn from (health care is a big one that comes to mind).