Cybersecurity awareness programs have spent decades telling employees to stay alert. Jayson Street believes they've been teaching the wrong lesson.
During a recent CYBR.HAK.CAST interview, the veteran social engineer argued that most security awareness programs fail because they are built around an unrealistic assumption: that employees can remain vigilant every moment of every workday.
"Our security policy is hinged on the fact that they are 100 percent vigilant and aware at all times," Street said. "Ridiculous and stupid and harmful to the company."
Check out the full episode and related article:


Street's argument comes from years spent conducting physical and social engineering assessments around the world. Early in his career, success meant finding vulnerabilities and proving organizations could be breached.
Today, his goal is different.
Instead of proving employees fail, he looks for opportunities to help them succeed.
That shift began during an engagement at a government facility where he deliberately gave an employee the opportunity to recognize suspicious behavior and take corrective action after making an initial mistake. The employee ultimately reported him, security responded, and the organization gained a valuable learning experience.
The experience convinced Street that awareness training should focus less on compliance and more on situational awareness.
To explain the concept, he uses a simple analogy:
Most people have driven home from work and realized they barely remember parts of the trip. The brain naturally operates on autopilot during familiar activities. Yet if a child suddenly runs into the road, attention immediately snaps into focus.
That's the behavior Street wants organizations to cultivate.
More on security awareness:


Employees don't need to scrutinize every email with forensic precision. They need to recognize when something doesn't fit the normal pattern.
A message from the CEO that arrives unexpectedly.
A request that feels unusual.
A login prompt that appears out of context.
Those are the "children in the road."
"Teach your employees to look for the child in the road," Street said.
That philosophy also changes how red team engagements should be conducted.
Street believes organizations spend too much time documenting employee failures and not enough time celebrating successes.
"If you're a red teamer, and you're not celebrating the successes of your clients for doing the right thing and stopping you and thwarting you, you suck."
For Street, security isn't about proving people are the weakest link.
It's about helping them recognize when it's time to stop, think, and pay attention. And that's a lesson far more valuable than another annual training module.



