- Human factors in security: social engineering, BEC, and awareness
Quick recap. This session was a wide-ranging discussion of the human side of security: social engineering, user behavior, and why technical controls alone cannot carry the load. Led by Stryker and others, the group worked through business email compromise, the role of middle management in whether problems get reported, and how to design systems and awareness programs that make the secure choice the easy one. New members were welcomed, and Shawn noted site traffic had doubled to over 7,000 unique visitors in 15 days.
Show 5 discussion topics
Human factors and business email compromise
Building on Stryker's recently published article, the group focused on how people and processes - not just technical controls - sit at the center of most breaches. Neil shared a business-email-compromise case where a comptroller wired a million euros off a single email, underscoring that human judgment is part of the control set. Stryker's framing: attackers exploit human trust and behavior, so people are an essential part of the solution, not merely the problem.
Compensating controls and the leadership disconnect
Jay argued that established business processes act as compensating controls rather than relying solely on technical measures. Stryker cited a survey finding that 49% of C-suite executives had requested security bypasses despite backing the security mission - a gap between stated intent and action. Tyler pushed back that the sharper problem is middle management, pointing to a case where team leads discouraged reporting a GitHub credential exposure to leadership out of fear of consequences. The group agreed a blameless environment where people feel safe reporting is essential.
Designing so the secure choice is the easy one
Paul offered a bridge metaphor: security systems should be engineered to be resilient rather than blaming users when they fail. The group discussed better technical controls paired with better user experience, and Tyler noted that the shift to microservices and specialized systems has made security harder to simplify. Jay floated software liability as a lever to push security earlier into development.
Basic security education and the digital-literacy gap
Rev and Stryker debated whether security failures stem from mismatched incentives or a lack of basic education, agreeing that making secure choices easier and teaching fundamentals - 2FA, password management - would move the needle. Matt observed that simplified consumer experiences have quietly eroded digital literacy among younger workers, widening the gap between personal and professional security habits.
Communicating risk to non-technical audiences
The group discussed how to explain technical risk without leaning on fear. Stryker used food-safety analogies for supply-chain attacks, and the group concluded that effective communication starts from the audience's existing knowledge and builds up, weighing emotion and authority alongside logic. Stryker floated a personal-security-awareness campaign for Cybersecurity Awareness Month in October.
