A target groups we are attempting to reach on cyber security are the engineers and operators who run critical infrastructure, such as those responsible for power generation, oil refineries, and water plants. This may not be as sexy as some other industries, but without it life as we know it would literally shutdown. As such, it is critical we engage and train those who maintain it. One of the most effective ways we have learned to engage is to explain to people they are a target. So many people have the misconception that they are not a target, that they do not have value. Once they understand they have value, they are far more likely to listen and to change behavior. One of the most effective ways to communicate this is to tell a story, walk them through how they will be targeted and why. Show them in the the bad guys own words. To help the critical infrastructure community (often called Industrial Control Systems or ICS), we have created a video that does just that. This fictional video tells the story of how a group of hactivists hack into a utility and why. The video gets quite technical, walking you through step-by-step, starting with a spear phishing attack and ending with compromise of the primary historian server. You can check out the video, and its story at https://www.sans.org/security-awareness-training/products/engineer
