Was asked to start engaging in more social engineering exercises with Christina by our customers. Got annoyed at seeing everyone treating security awareness like a technical control, it's not. Wanted to capture thoughts on technical controls that can improve social engineering IR from preparation through to recovery. The goal should not be to blame the "user" for our security problems. The people (firefighters, nurses, grandparents) using our systems need to be protected from themselves with technical controls and we are the security "professionals" that should be helping figure out how to accomplish this goal. To quote the Foo Fighters: "You're the pretender. What if I say I will never surrender?":

Social Engineering Defenses: Reducing The Human Element

Most security awareness advice is terrible, just plain bad, and not remotely feasible for your average person.

https://www.darkreading.com/social-engineering-defenses-reducing-the-human-element/a/d-id/1320223