While performing a penetration test at one company, the security manager told me I should take a long lunch at a very specific restaurant, and just . I learned of the company's marketing plans for a top product. Going to lunch at dozens of restaurants near the National Security Agency, an organization with extensive security awareness efforts, I can hear nothing of any significance.

During a firewall penetration test, a strictly technical penetration test, I received a call from a bank vice president telling me to stop my BS. I asked what the person was talking about, and was told that their people received a call asking details about the firewall, and replied that they needed the persons contact information and would get back to them, as their awareness training described, and the manager assumed that it must be part of my penetration test, which it wasn't.

It was a real attack, and they responded appropriately.

[]

I can go on, and give dozens of examples of security awareness success stories, but everyone knows of such success stories. Frankly, everyone reading this article can likely point to countless personal stories of how their behavior saved them from being a victim of some attack.