My latest @ISACA column was posted recently. This time I tackled a hard issue in the human factors space: awareness training. Specifically, I explored the notion that having a good security team may actually impede the effectiveness of a security awareness program. I did this through the application of some concepts from the bystander effect.
You can check it out here: Security Awareness and the Bystander Effect.
The Risk Dr ® 
Dear Dr. Freund,
Interesting article, here some of my thoughts on it.
“Indeed, we have trained our organizations to anticipate that security is already “baked in.” This is one of the reasons that phishing and spear phishing still remain top attack vectors.”
I believe phishing/spear phishing is effective because we don’t analyse the risks correctly and jump to implementing what everyone else is doing i.e. security awareness, phishing assessments etc. because that’s easier than changing processes that permit transfer of millions of dollars based on a “CEO” email, because it’s easier than implementing 2FA which makes captured credentials useless, because it is easier than doing risk-based authentication etc.,…
“…it is reasonable that an average, non-IT employee can expect that any email they receive is legitimate.” The question should be “why do we design security that is so easy to break, that all it takes is an email and a user clicking on something”?
” The human factors of information security cannot be overlooked. You can be certain your attackers will not ignore them.” That I agree with but I would not prioritize it over engineering security systems from the start that fail that easily.
Some related blog posts I wrote:
https://www.linkedin.com/pulse/security-awareness-debate-can-settled-osama-salah/
https://www.linkedin.com/pulse/security-awareness-links-walls-osama-salah/
So many good points here Osama! I don’t disagree with what you are saying. One of the things I like to say is that as humans we like to be friendly and helpful (mostly) and there are elements of society that know how to take advantage of that. Of course those bad elements of society are just as human as the good ;-)