Cloud Security Office Hours Banner

Friday, May 15, 2026 - Meeting Recap

AI's impact on cybersecurity, Microsoft Red Sun zero-day, HSBC password controversy

- Human factors in security: social engineering, BEC, and awareness

Quick recap. This session was a wide-ranging discussion of the human side of security: social engineering, user behavior, and why technical controls alone cannot carry the load. Led by Stryker and others, the group worked through business email compromise, the role of middle management in whether problems get reported, and how to design systems and awareness programs that make the secure choice the easy one. New members were welcomed, and Shawn noted site traffic had doubled to over 7,000 unique visitors in 15 days.

2026-05CommunityGovernanceIndustry News
Show 5 discussion topics

Human factors and business email compromise

Building on Stryker's recently published article, the group focused on how people and processes - not just technical controls - sit at the center of most breaches. Neil shared a business-email-compromise case where a comptroller wired a million euros off a single email, underscoring that human judgment is part of the control set. Stryker's framing: attackers exploit human trust and behavior, so people are an essential part of the solution, not merely the problem.

Compensating controls and the leadership disconnect

Jay argued that established business processes act as compensating controls rather than relying solely on technical measures. Stryker cited a survey finding that 49% of C-suite executives had requested security bypasses despite backing the security mission - a gap between stated intent and action. Tyler pushed back that the sharper problem is middle management, pointing to a case where team leads discouraged reporting a GitHub credential exposure to leadership out of fear of consequences. The group agreed a blameless environment where people feel safe reporting is essential.

Designing so the secure choice is the easy one

Paul offered a bridge metaphor: security systems should be engineered to be resilient rather than blaming users when they fail. The group discussed better technical controls paired with better user experience, and Tyler noted that the shift to microservices and specialized systems has made security harder to simplify. Jay floated software liability as a lever to push security earlier into development.

Basic security education and the digital-literacy gap

Rev and Stryker debated whether security failures stem from mismatched incentives or a lack of basic education, agreeing that making secure choices easier and teaching fundamentals - 2FA, password management - would move the needle. Matt observed that simplified consumer experiences have quietly eroded digital literacy among younger workers, widening the gap between personal and professional security habits.

Communicating risk to non-technical audiences

The group discussed how to explain technical risk without leaning on fear. Stryker used food-safety analogies for supply-chain attacks, and the group concluded that effective communication starts from the audience's existing knowledge and builds up, weighing emotion and authority alongside logic. Stryker floated a personal-security-awareness campaign for Cybersecurity Awareness Month in October.

↑ All meeting recaps