Further Reading: Security Awareness Training

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order below; you do not need to read everything before Chapter 31.

Suggested order

  1. Read the NIST SP 800-50 (and its successor guidance) to anchor what a formal awareness program officially contains and how it is governed.
  2. Skim the human-element findings in the Verizon DBIR to ground "why phishing still works" in data.
  3. Read one accessible behavioral-science source (Fogg or Thaler & Sunstein) to understand why nudges and just-in-time training change behavior where lectures do not.
  4. Browse a vendor or community security-awareness benchmark report for realistic click/report-rate ranges — treating the figures as Tier 2 (directional, not precise).

Standards & primary documents (Tier 1)

  • NIST, SP 800-50: Building an Information Technology Security Awareness and Training Program. 📋📜 The foundational U.S. government guidance on designing, governing, and measuring an awareness program — the policy-altitude backbone for everything in this chapter. (Note: NIST has been modernizing this guidance; read the current revision alongside the original.)
  • NIST, SP 800-53 (Awareness and Training, the AT control family). 📋📜 The specific control requirements (AT-1 through AT-6) an auditor maps your program against; pairs with the Chapter 28 compliance work.
  • NIST, Cybersecurity Framework (CSF) 2.0 — the Protect (PR) Function, awareness & training. 📋 Where the human layer sits in the larger program structure you have been building.
  • Verizon, Data Breach Investigations Report (DBIR) (annual). 🛡️📋 The most-cited evidence that a large share of breaches involve a human element — phishing, pretexting (BEC), error, and misuse. Read the "human element" and "social engineering" sections to see why this chapter exists.
  • CISA, Phishing guidance and the "Avoiding Social Engineering and Phishing Attacks" resources. 🛡️📋 Practical, free, government-published guidance suitable for sharing directly with a workforce.
  • FBI / IC3, Business Email Compromise public-service announcements and annual loss figures. 📋 The authoritative source on BEC — the threat behind both this chapter's case studies; the reported losses are staggering and make the finance-tier investment case for you. (Cite specific figures from the current report; treat older numbers as dated.)

Books (Tier 1 / Tier 2)

  • Fogg, B. J., Tiny Habits (and the Fogg Behavior Model, B = MAP). 🏗️📋 The behavioral-science basis for "behavior over knowledge": behavior = Motivation × Ability × Prompt. The single most useful mental model for designing interventions that actually change what people do. (Tier 2 for the security application; Tier 1 for the model itself.)
  • Thaler, R., & Sunstein, C., Nudge. 📋 The origin of the nudge concept this chapter applies — how small changes to the choice environment steer behavior without mandates. Read it to design better defaults, banners, and report buttons.
  • Cialdini, R., Influence: The Psychology of Persuasion. 🛡️📋 The six principles (authority, urgency/scarcity, social proof, liking, reciprocity, commitment) that every social-engineering attack exploits — and therefore every defense must anticipate. Read it as a defender studying the attacker's playbook.
  • Hadnagy, C., Social Engineering: The Science of Human Hacking. 🛡️🏗️ A defender-relevant tour of how human manipulation actually works; study it to understand the threat you are training people to resist. (Read for defense; the authorization rule from Chapter 1 governs any practice.)
  • Reason, J., The Human Error / "Swiss cheese" model, and Just Culture literature (e.g., Dekker). 📋 The aviation- and medicine-derived foundations of the no-blame reporting culture this chapter borrows. Essential for understanding why blame suppresses the reporting you most need.

Free online & talks (Tier 1 / Tier 2)

  • SANS Security Awareness — the Security Awareness Maturity Model and annual Security Awareness Report. 📋🛡️ A widely used framework for assessing where your program sits (from "non-existent" to "metrics-driven") and a yearly survey of the field's state and benchmarks. (Tier 2 for specific benchmark figures — directional, not precise.)
  • The "Anti-Phishing Working Group (APWG)" trend reports. 🛡️📋 Periodic data on phishing volumes and techniques; useful for situational awareness and for the "why phishing still works" argument. (Tier 2 for exact figures.)
  • Vendor phishing-simulation benchmark reports (e.g., industry click-rate-by-sector studies). 📋 Useful for ranges of realistic click and report rates by industry and program maturity. Treat all specific percentages as Tier 2 — methodologies vary widely; use them to calibrate expectations, never to claim a precise figure. This chapter deliberately cites ranges, not invented numbers.

Tools to explore (in your own authorized environment only)

  • Open-source phishing-simulation frameworks (e.g., GoPhish). 🏗️ For learning the mechanics and metrics of running an ethical, authorized simulation in your own lab. Build a teachable-moment landing page; never send to anyone who has not consented or any system you are not authorized to test.
  • A "report phishing" button / add-in for your mail client. 🏗️🛡️ The single highest-leverage technical intervention from this chapter — explore how the major mail platforms implement one-click reporting and how it can feed a SOC/SIEM pipeline.
  • A personal verification habit. 📋 Practice the §30.2 reflex in your own life: for any unexpected request involving money or credentials, verify out-of-band through a known channel before acting. The best human-firewall drill needs no software.

⚖️ Authorization & Ethics reminder: Several resources here describe offensive social-engineering and phishing techniques. Study them to defend; build and run simulations only with written authorization, governance, legal/HR review, and a no-blame posture — and never against anyone who has not consented (Chapter 1's rule is absolute; the ethics of employee testing are revisited in Chapter 39).