A key finding from the 2008 information security survey by PwC is that organizations are spending more on security technologies but need to achieve a better balance: "One of the best ways of improving enterprise-wide visibility into the crucial details of actual security incidents is to match technology investments with an equally robust commitment to the other principal drivers of security’s value: the critical business and security processes that support technology, and the people that administer them." Technology is a bottomless pit for security investment: one can always spend more on security hardware and software but after the basics (such as antivirus and firewalls) are covered, the returns diminish. Organizations should be complementing their technological investments with security awareness and training. "What matters, of course, is improving an organization’s ability to defend and prevent attacks on an ongoing basis—without distracting people from the every-d...

Surveys and news items suggest that social engineering attacks are on the rise in terms of scale and sophistication, as well as number. A new 40-page white paper from ENISA : outlines social engineering methods such as pretexting, phishing, spear phishing and vishing; presents an interview with acknowledged social engineer Kevin Mitnick; discusses three studies portraying how easily naive/untrained users are manipulated; identifies five defence measures; and offers a checklist to fight social engineering based on the mnemonic LIST (Legitimacy, Importance, Source, Timing). While technical controls can help to some extent for example by identifying emails that might be phishers, research on undergraduates (described in the paper) demonstrates the effectiveness of repeated security awareness/training.