The security industry always talks about our users as the first line of defense, although they rarely live up to our security expectations. The reason for this is because the way the security industry teaches security to non-security people is flawed. I have developed and taught security classes for application developers, end users, and management and will be showing what makes a successful and effective training or awareness campaign. Some of the things that have proven useful are using positive definitions for security, ensuring relevance, and leveraging tools from social psychology to teach security.
- stop focusing on problems
- build, don't break
- provide actionable advice
- use social psychology
About Ari Elias-Bachrach

Ari is a former penetration tester who has since migrated over to the defensive side. He has been a consultant and an in house security engineer for a large financial institution. He spends most of his time working with developers trying to address application security concerns, and trying to bridge the gap between development and security. He also designs security awareness and training courses, and teaches developer security classes at the NIH.