Security Awareness & Human Factors
Phishing simulation, security culture measurement, behavioral psychology, insider threat programs, social engineering defense training.
What is Security Awareness & Human Factors?
Security awareness and human factors is the discipline of reducing human-driven security risk through education, behavioral change, and organizational culture. Despite billions spent on technical controls, humans remain the most exploited attack vector — phishing accounts for the initial access in the majority of breaches, and insider threats (both malicious and negligent) cause some of the most damaging security incidents.
Modern security awareness programs have evolved far beyond annual compliance training videos. Effective programs use phishing simulations with progressive difficulty, just-in-time training triggered by risky behaviors, gamification, and behavioral nudges integrated into daily workflows. The field draws heavily on behavioral psychology — understanding cognitive biases like authority bias (why CEO fraud works), urgency bias (why 'act now' phishing succeeds), and the availability heuristic (why people underestimate risks they haven't personally experienced).
Insider threat programs address the full spectrum from negligent employees who accidentally expose data to malicious insiders who deliberately steal intellectual property or sabotage systems. These programs combine technical controls (DLP, UEBA) with organizational measures (behavioral indicators, reporting cultures, employee support programs) while carefully balancing security with employee privacy and trust.
Why it matters
Technology alone cannot solve security when humans are the primary attack vector. Building a security-conscious culture where every employee is an active participant in defense is the most cost-effective risk reduction an organization can achieve.
Security awareness connects to every technical security domain by addressing the human element that technical controls cannot fully mitigate. It transforms employees from the weakest link into an active layer of defense.
Govern & Direct
Set direction, own risk, shape policy, govern AI/quantum programs, work with people and narrative.
Other domains in this layer
Standards and frameworks
Curated resources
Authoritative sources we ground Security Awareness & Human Factors questions in — frameworks, research, guides, and tools.
NIST SP 800-50 Rev. 1 — Building a Cybersecurity and Privacy Awareness and Training Program
The federal model for awareness program design — needs assessment, scoping, content design, evaluation. The default reference for "what does an awareness program look like."
NIST SP 800-181 Rev. 1 — NICE Workforce Framework for Cybersecurity
Standard taxonomy of cybersecurity work roles, tasks, KSAs. Used for role-based training design and human-risk targeting.
SANS Security Awareness Maturity Model
Five-stage maturity model (Non-Existent → Compliance → Promoting → Long-Term Sustainment → Metrics) widely used to benchmark awareness programs. Practitioner-tested.
CISA Cybersecurity Awareness Month
Annual federal campaign with current-year themes, free materials, and partner toolkits. Reflects the public-facing federal stance on awareness messaging.
CISA Cybersecurity Education and Training
Federal hub for cybersecurity training resources, career development pathways, and free CISA-developed training programs. Companion to NICE for workforce-readiness questions.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
EC Council Certified Secure Computer User
EC Council Certified Secure Computer User
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
Education and certifications
More in Cybersecurity
Test what you know about Security Awareness & Human Factors
85 questions available. Beginner to expert questions, scored against the global leaderboard.