Skip to content

Employees Aren't the Weakest Link: Jayson Street's Case for Situational Awareness

Security awareness programs fail when they expect constant vigilance. Jayson Street says organizations should teach employees when to switch out of autopilot instead.

Cybersecurity awareness programs have spent decades telling employees to stay alert. Jayson Street believes they've been teaching the wrong lesson.

During a recent CYBR.HAK.CAST interview, the veteran social engineer argued that most security awareness programs fail because they are built around an unrealistic assumption: that employees can remain vigilant every moment of every workday.

"Our security policy is hinged on the fact that they are 100 percent vigilant and aware at all times," Street said. "Ridiculous and stupid and harmful to the company."

Check out the full episode and related article:

Lying for a Living with Jayson Street
Street says stronger cybersecurity awareness comes from investing in people, improving situational awareness, and helping employees recognize when something is out of the ordinary.
Every 3-Year-Old Is a Hacker: Jayson Street on Curiosity, Community, and Hacker Culture
Jayson Street explains why hacking starts with curiosity, why community matters, and how hacker culture extends beyond computers.

Street's argument comes from years spent conducting physical and social engineering assessments around the world. Early in his career, success meant finding vulnerabilities and proving organizations could be breached.

Today, his goal is different.

Instead of proving employees fail, he looks for opportunities to help them succeed.

That shift began during an engagement at a government facility where he deliberately gave an employee the opportunity to recognize suspicious behavior and take corrective action after making an initial mistake. The employee ultimately reported him, security responded, and the organization gained a valuable learning experience.

The experience convinced Street that awareness training should focus less on compliance and more on situational awareness.

To explain the concept, he uses a simple analogy:

Most people have driven home from work and realized they barely remember parts of the trip. The brain naturally operates on autopilot during familiar activities. Yet if a child suddenly runs into the road, attention immediately snaps into focus.

That's the behavior Street wants organizations to cultivate.

More on security awareness:

Why Security Awareness Training Failed and What’s Next
Security awareness training isn’t stopping breaches. Learn why human behavior matters and what security teams should do next. (Includes infographic)
What Mayonnaise Has To Do With Failures in Security Awareness Training
Also this week: Trump’s quantum EO tightens screws on PQC compliance, AI changes the email security game and continues to cause a CVE avalanche.

Employees don't need to scrutinize every email with forensic precision. They need to recognize when something doesn't fit the normal pattern.

A message from the CEO that arrives unexpectedly.

A request that feels unusual.

A login prompt that appears out of context.

Those are the "children in the road."

"Teach your employees to look for the child in the road," Street said.

That philosophy also changes how red team engagements should be conducted.

Street believes organizations spend too much time documenting employee failures and not enough time celebrating successes.

"If you're a red teamer, and you're not celebrating the successes of your clients for doing the right thing and stopping you and thwarting you, you suck."

For Street, security isn't about proving people are the weakest link.

It's about helping them recognize when it's time to stop, think, and pay attention. And that's a lesson far more valuable than another annual training module.

HOU.SEC.CON CTA

Latest

Above the Packet: Cybersecurity's New Meaning Layer

Above the Packet: Cybersecurity's New Meaning Layer

In less than two weeks, a question about software safety moved from coffee-call conversation to an OpenSSF issue, a community schema, a validator, and active alignment with CycloneDX and SPDX. That speed is interesting. The way it happened is more interesting.