A social engineering awareness and training workshop for STEM students and practitioners

The human element is often regarded as the weakest link in cybersecurity, yet awareness and training efforts focus primarily on the technical aspects of cybersecurity and downplay the relevance of the human factor. One way to exploit this human vulnerability is through social engineering, in which cybercriminals utilize persuasion and manipulation of human behavior and psychology to convince individuals to reveal information, provide access or perform an action. This paper offers a case study on efforts to design and develop a social engineering awareness and training program that was implemented at the 2019 National Science Foundation Cybersecurity Summit using the National Institute of Standards and Technology framework for program development. This program was developed to enhance the ability for individuals in the future and current workforce to protect their organization against vulnerabilities to social engineering attacks, through corresponding awareness and training. The authors share the different stages that are involved in producing a successful program: designing the program, developing the awareness and training material, and implementing the program. In addition, this paper details the challenges and lessons the authors experienced and learned, which can be used as a guide for other practitioners to develop social engineering awareness and training programs.