Time Constraints Hamper Security Awareness Programs
Even as more attacks target humans, lack of dedicated staff, relevant skills, and time are making it harder to develop a security-aware and engaged workforce, SANS says.
Security awareness covers how people recognize and avoid phishing, social engineering, unsafe practices, and other causes of cybersecurity incidents.
Search across headline titles and summaries.
Background for this topic.
Security awareness is the ability of people in an organization to recognize security risks and make safer decisions when using systems, handling information, or communicating. It covers practical behavior such as checking unexpected login requests, protecting credentials, verifying payment or access changes through trusted channels, limiting sensitive data exposure, and reporting suspected phishing or social engineering promptly. Awareness is not a guarantee that users will avoid every mistake; it reduces risk when guidance is relevant to people’s roles and workflows.
Security practitioners assess awareness through targeted education, realistic exercises, clear reporting paths, and measures such as reporting quality and time to escalation—not merely course completion. News under this tag may therefore concern phishing and impersonation campaigns, unsafe handling of personal or confidential data, policy changes, or lessons from incidents involving human decisions. Effective programs should reinforce technical controls such as multifactor authentication and least privilege, while avoiding blame: users need simple procedures for verifying requests, reporting errors, and obtaining help before a mistake becomes an intrusion.
Even as more attacks target humans, lack of dedicated staff, relevant skills, and time are making it harder to develop a security-aware and engaged workforce, SANS says.