In my time in cybersecurity, I've been fortunate enough to be exposed to quite a bit within the field. Blue team topics, red team topics, compliance…all of these have their places within cybersecurity. We as cybersecurity professionals do our best to protect the organizations and assets for which we’re responsible. That being said, there’s always been that one part of cybersecurity that I feel doesn’t get the “proper” security treatment: the everyday person.
Don’t get me wrong…people are exposed to cybersecurity in terms of what’s on the news and their on-the-job training, but the fact of the matter is that most cybersecurity training is geared towards new and existing cybersecurity professionals, and not the average person.
Most trainings that people take as part of their jobs is security awareness training, which includes information about phishing, various forms of social engineering, and other topics that are relevant to them from a security perspective. I find a couple of problems with the typical training:
The information presented in the training goes in one ear and out the other
The information doesn’t hit users hard enough for it to stick with them
The training becomes just another thing to check off the list of annual things to do
Users end up falling victim to attacks anyway
As someone who takes interest in attacker behavior, I believe the everyday user would gain greater benefit if they are exposed to what actually CAN happen if they fall victim to some kind of hack. I’m not talking just general, vague “these bad things can happen” things, but actually showing them sample attacks that could actually work on them under the right circumstances. My theory is that showing them actual attacks make training a little more interesting and more likely to stick.
I’m throwing my hat into the ring when it comes to this, and I’ve developed my first course as part of a series I call “Security in 30”, which is security information delivered in 30 minutes or less. The course is called “Hacking You”, a course dedicated to informing the everyday user about security. I talk about topics like the following:
Getting information about people from social media
Password dumps and phishing emails
Malicious Office documents
Man in the Browser attacks
Hacking Windows and Mac OS
I’ve uploaded the series to YouTube on my SmithSec channel, which can be found at https://www.youtube.com/watch?v=dIAnWD-JIWs&list=PLMe_U41ZVqEJCQny92aOYvxsNjvp8biOQ . Below is my first video of the series, so take a look!