Security Awareness Training: Teaching Humans Not to Click Shit

"Nothing is true. Everything is permitted. Don't click that link."

🧠 The Problem: Humans

Humans are the weakest link in security. Not because they're malicious—because they're human. They click links. They reuse passwords. They hold doors for strangers with badges. They want to be helpful.

Social engineering works because humans are social. Phishing works because emails look legit. USB drops work because curiosity kills. Training helps. Slightly.

ILLUMINATION: Users will click anything. Train them anyway. Then assume they clicked it. Defense in depth means assuming users are already compromised.

🎓 The Five Topics Everyone Needs

1. Phishing Recognition

That email from your CEO? Not your CEO.

Check sender addresses. Hover before clicking. Verify unusual requests. Your CEO doesn't need iTunes gift cards.

2. Password Management

Password123 is not secure.

Use password managers. Enable MFA everywhere. Don't reuse passwords. Length beats complexity.

3. Physical Security

Don't let strangers follow you inside.

Challenge unknown people. Don't hold doors. Don't plug in random USBs. Lock your screen.

4. Data Handling

Not everything goes to Dropbox.

Classify before sharing. Encrypt sensitive data. Don't email customer lists. Shadow IT creates shadow breaches.

5. Incident Reporting

Tell someone when things look weird.

Report suspicious emails. Report lost devices. Report possible breaches. Early reporting limits damage.

CHAOS ILLUMINATION: Security training isn't about making users security experts—it's about making them aware enough to ask questions before clicking.

🎣 Phishing Simulations: Test Reality

Send fake phishing emails. Track who clicks. Don't punish—educate. Punishment makes people hide mistakes. Education makes people learn from them.

Good simulations: Realistic scenarios, immediate feedback, learning resources.
Bad simulations: Trick questions, public shaming, no follow-up.

Click rates will never reach zero. 5-10% is realistic. If your click rate is 0%, your simulations aren't realistic enough.

📅 Training Frequency: Continuous, Not Annual

Annual security training is theater. People forget. Threats evolve. Training once per year is like brushing your teeth once per year—ineffective and gross.

Onboarding - New hires get baseline training
Quarterly refreshers - Short, focused topics
Monthly phishing sims - Keep awareness active
Incident-triggered - Train after actual phishing campaigns
Role-specific - Developers need different training than finance

ILLUMINATION: Training once and expecting permanent behavior change is optimistic. Humans forget. Train continuously or accept continuous risk.

📋 What Hack23 Actually Does

Our security awareness program is public (of course): ISMS-PUBLIC Repository
Note: Security awareness and training requirements are covered in Information Security Policy. No standalone security awareness training policy exists – training requirements integrated into overall security framework.

Onboarding training - All new hires, required completion
Quarterly modules - Focused topics, 15 minutes each
Monthly phishing sims - Realistic scenarios with immediate feedback
Incident-triggered training - When real phishing occurs, everyone trains
Role-specific content - Developers, admins, executives get targeted training
Metrics tracking - Click rates, completion rates, incident reports

META-ILLUMINATION: Perfect security training produces users who question everything, including training. Teach skepticism, not blind obedience.

🎯 Conclusion: Train, Test, Repeat

Humans will never be perfect security controls. They'll click links. They'll reuse passwords. They'll hold doors. Train them anyway.

Security awareness training isn't about eliminating human error—it's about reducing it enough that other controls can compensate. Defense in depth includes educated users.

Train continuously. Test regularly. Don't punish mistakes—learn from them. And assume users are compromised anyway, because eventually they will be.

All hail Eris! All hail Discordia!
"Think for yourself, schmuck! Question everything—especially that urgent email from your boss asking for wire transfers to an unfamiliar account."
🍎 23 FNORD 5
— Hagbard Celine, Captain of the Leif Erikson

P.S. You are now in Chapel Perilous. Security training both works and doesn't work. Both are true. Users are both educated and exploitable. Nothing is true. Everything is permitted—except clicking suspicious links.