Security awareness is not a control: Rethinking human risk in enterprise security
Summary
Organizations have traditionally relied on security awareness training and phishing simulations to combat threats like business email compromise and credential theft. However, despite these efforts, financial losses and successful credential harvesting continue to rise, indicating a fundamental misclassification of security awareness as a 'control' rather than an educational measure. True security controls are designed to prevent, detect, or limit outcomes structurally, irrespective of individual actions or knowledge, unlike awareness training which aims to influence judgment but cannot eliminate inherent human variability.
IFF Assessment
The article highlights that traditional security awareness training, while intended to help, is not a sufficient control and is being exploited by attackers, indicating that current defensive strategies are failing to keep pace with evolving threats.
Defender Context
Defenders need to re-evaluate their reliance on security awareness training as a primary defense mechanism and instead focus on implementing robust, automated security controls. Trends show that adversaries are adept at bypassing human-centric defenses, necessitating a shift towards technical controls that do not depend on individual user actions.