This post is the second in a series of what I consider the top ten topics for any security awareness program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. I feel the topic of Social Engineering is one of the most important in your awareness arsenal and should be the second module you teach (after You Are The Target). The idea is that most attacks against humans today are based on some form of social engineering. By explaining what social engineering is and how it works, you lay the foundation for how employees can protect themselves. In addition, by understanding social engineering, you prepare end users for future attacks we are not even aware of yet, providing long term value. That is why I always like to teach social engineering first with a non-technical example. Specifically how attackers can trick you out of your credit card number when you are staying at a hotel. This example is something most non-technical users can identify with. Once they understand these concepts, it becomes much easier to teach the same lessons but for the cyber world. To see an example of how this can be communicated, check out this awareness video on Social Engineering.