A standing joke in cybersecurity circles is that it's easy to keep your data safe, just disconnect every computer from the internet. That might keep the data safe, but it would also make most systems useless. So, companies spend a lot of money on sophisticated technology like Firewalls, Encryption programs, and Real-time intrusion monitoring, just to name a few. They also hire highly experienced security professionals, and engage in security education training and awareness efforts with their employees, customers, and business partners. Security Education Training and Awareness, also known as SETA, is the fundamental task for security-focused organizations. These efforts provide critical information to employees to maintain or improve their current levels of security knowledge. The benefits of most SETA efforts include improving employee behavior, helping employees know where or how to report violations, and enabling organizations to hold employees accountable. For now, we're going to focus just on the effort to improve employee behavior. It's reported that over half of all information security breaches are either indirectly, or directly caused by employee's poor security behaviors. Some estimates are as high as 95 percent of successful breaches require one or more employees to become complicit with the hacker in some way. Let's stop and think about that. Security breaches might be initiated by some hacktivists or bad actor in a faraway land, but their success does not rely on the technical genius that they have so much as it relies on the corporate employees not following procedure. So how do organizations make sure that employees are aware of, and are complying with security policies? They roll out training that is often a boring, computer-based, voice-over PowerPoint annual event. In short, here are some things you can do to stay safe from phishing e-mails. One, never click on unexpected links or attachments. Compliance is expected because the training is mandated. There have been a number of academic studies focused on how and why security training is effective or ineffective. I am also fairly sure that many disgruntled security managers asked the same question. So, why is security training not as effective as organizations would like? First, we have to think about the underlying assumptions behind such training. Did the designers believe that the security rules are mostly being followed, and that they are simply reminding the users of the importance of continued compliance? Or are these annual training efforts intended to improve compliance? I already mentioned that SETA efforts are focused on improving employee behavior, but surely some of the employees are doing what they're supposed to do. To help answer this question, I asked a security manager to describe training effectiveness in his organization. He said, "No matter how well you train folks, it will never keep you 100 percent safe. Each year we perform two to three phishing training scenarios." Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in electronic communication. He continued, "We are normally 10 to 15 percent effective in harvesting. For an organization of 4,500-ish people, that's still about 450 usernames and passwords. Doing so has created 450 insider threats. Tax related phishing tests are the best." So, after annual training, this organization sends fake e-mails to their employees to see if anyone will send their log in information and even password. About 10 to 15 percent do just that. This is not an uncommon result.