This post is the second in a series of what I consider the top ten topics for any security awareness program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. I feel the topic of Social Engineering is one of the most important in your awareness arsenal and should be the second module you teach (after You Are The Target). The idea is that most attacks against humans today are based on some form of social engineering. By explaining what social engineering is and how it works, you lay the foundation for how employees can protect themselves. In addition, by understanding social engineering, you prepare end users for future attacks we are not even aware of yet, providing long term value. That is why I always like to teach social engineering first with a non-technical example. Specifically how attackers can trick you out of your credit card number when you are staying at a hotel. This example is something most non-technical users can identify with. Once they understand these concepts, it becomes much easier to teach the same lessons but for the cyber world. To see an example of how this can be communicated, check out this awareness video on Social Engineering.
Previous Topics
#1 You Are The Target
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.