Security awareness training has become an annual ritual: assign the modules, run a phishing simulation, log the completion rates, satisfy the auditor. This piece makes the practitioner’s case that most of it is theater. It rarely changes what a capable attacker can actually pull off, and it quietly shifts the blame for a breach onto whoever clicked.
The point isn’t that people don’t matter. It’s that leaning on training as a control is a losing bet: an attacker only needs one person to slip once, and no amount of yearly coursework changes that arithmetic. The stronger investment is building for the assumption that someone will click, with phishing-resistant authentication, least privilege, segmentation, and detection that catches an intrusion while it’s still small.
This is an opinion piece by an OSec practitioner, first published on The Readable.