What do Shakespearean tragedies and security issues have in common? Both are overwhelmingly the result of human error. Othello is one Shakespeare greatest plays, and Iago is one of literature\u2019s first social engineers.The hubris of Othello and the cruelty of Iago transcend time and generation because human beings are flawed. If this is true, then regardless of how impenetrable they believe their hardware and software programs to be, CSOs and CISOs can only do so much to build barriers around their organizations. In the end the security of their organizations are not contingent upon the strength of their hardware but at the mercy of hackers and the end users.Will they believe their corporations are impervious to threats because they\u2019ve been lucky up until now, or will they continue to build the layers of defense that will help to minimize the risk of being compromised?Amanda Berlin, network security engineer at Hurricane Labs, said that the greatest weakness for any organization large or small, private or public is people. \u201cPeople in general want to make customers and employees happy, so they trust the person on the other end of the phone or sending the email,\u201d Berlin said.When looking at the threats that have made the security of corporations most vulnerable over the past few years, from social networking to social engineering, the common denominator is the end user.Employees continue to be the biggest risk [for corporations]. They are the most frequent cause of mistakes and have the biggest consequences.Marie White, President and CEO of Security Mentor\u201cEmployees continue to be the biggest risk [for corporations]. They are the most frequent cause of mistakes and have the biggest consequences,\u201d said Marie White, President and CEO of Security Mentor. \u00a0As hackers become more sophisticated, the risks become greater that end users will fall victim to their scams.\u201cThere are new risks in clouds. Phishing has been tied back to major data breaches, and it\u2019s not just email. Social media phishers are getting much more sophisticated,\u201d White said.From password security to information sharing to other seemingly innocent acts that are making accounts vulnerable, \u201cpeople are putting too much information out there, and it\u2019s very easy to social engineer someone when you know a lot about them,\u201d said Lesley Carhart, security incident response lead at Motorola Solutions.Though hackers have somewhat diverted from using social media as a means of infiltrating organizations, the cumulative data available on sites like LinkedIn makes accessing information really easy for those with malicious intents.Hackers don\u2019t need to be savvy to search through online profiles. Carhart said, \u201cthey can scan through information and see what people have on their resumes, where they worked, what kind of firewalls that company has, what security teams people worked on. It\u2019s easy to hack using open source.\u201dWhether the intent of the hacker is for financial, political, or some other gain, \u201cmalware can be encrypted in a way that without back up can result in lost documents, lost resources, time, and money which can effect companies in similar magnitudes [as a financial breach].\u201dDuring April\u2019s RSA Conference in San Francisco Thom Langford explained that \u2018plugging in\u2019 and \u2018clicking on\u2019 still happens despite posters and warnings and an annual CBT program because human beings are entrenched in their behaviors.\u201cThey know it\u2019s bad to plug a random USB stick into their laptops, but they will still do it. It\u2019s a habit,\u201d Langford said. Marketing a corporation\u2019s values and story will create a positive experience and engage end users, Langford said.So how do corporations develop awareness programs that fit into both their organizations and their budgets? There is no panacea because everyone in the equation from the executives to housekeeping has different values.[ ALSO: The things end users do that drive security teams crazy ]Breach attacks are not a matter of behavior and habit so much as a question of what people value. Increasingly, end users value convenience over security.\u201cThat\u2019s the trade off some employees are willing to make, they value convenience over security, so they are choosing between security awareness vs. open source,\u201d said Carhart.A robber values your wallet, a point made only to prove that not everyone has good values\u2014remember Iago, who valued deception over loyalty.Organizations have to know what they are securing, and \u201cthe barrier of an awareness program comes from people knowing what\u2019s going on. Employees are the first line of defense,\u201d said Carhart.Regardless of the size of their organization, companies employ Millennials to Baby Boomers and the generations in between. That\u2019s a vast spectrum of people to educate, so \u201cthey have to evaluate the environment. Who are you securing?\u201d Carhart said.Once they know, they can be more innovative in building the layers of defense.\u201cThe major rule of awareness programs is being creative and innovative,\u201d Carhart said, \u201cand the strongest security requires defense in depth, which includes humans, devices, and policies\u2014the technical plus human control.\u201dAs with all things in life, there is little chance of perfection, so it\u2019s important that security teams manage their expectations.\u201cThe expectation of 100% chance of success doesn\u2019t exist anywhere else,\u201d said White, who also talked about the need for defense in depth. Yes, strong hardware security is a part of protecting against breaches, but White added, \u201chardware and software can\u2019t address the changing tides of hacker intelligence.\u201d\u00a0\u00a0Trying to reach everybody across all levels of expertise demands that employers \u201crecognize and understand that people are coming from different places. Millennials expect engaging and interactive tools which helps training be much more effective for them, so it\u2019s about knowing what to put in their programs,\u201d White said.Companies need to assess what they are doing now with the understanding that a security breach either has or will happen, and assessing means taking an internal scan by asking: \u201cWhat are their current issues? What are they doing now? Who can help them?\u201d White suggested.\u201cHackers are extremely knowledgeable, and if hackers choose to get in, they can. Many organizations need to do a lot with hardware and software and with how end users can mitigate what can happen. Anything they can do to minimize their risks.\u201dIf attacks are imminent and no organization is impenetrable, then why should organizations devote time and resources to developing awareness programs at all?Berlin explained that in a phishing experiment she did, she got everyone from housekeeping to CEOs to ITs to give their password. Berlin said that in the security awareness program she put in place \u201cover the last 10 months, which consisted of easy emails with plain text and Gmail addresses,\u201d she had a more than 40% success rate when she asked for usernames and passwords.\u201cSix months later, that dropped down to zero results and emails received were reported and blocked within 10 minutes.\u201dIn designing an awareness plan, organizations should know that there is never a one size fits all, nor does a good awareness program need to cost a lot of money. (Also: No money, no problem: Building a security awareness program on a shoestring budget.)\u201cAll of the principles stay the same,\u201d said Berlin. \u201cTeach users hands on what looks suspicious, give them the ability to report, have good spam filtering, good management, two factor authentication, train users with something that will stick,\u201d Berlin said.While vendors are expensive, \u201can external pen test to prove what you\u2019re doing is successful is a good metric,\u201d she added.Zurkus is a freelance writer based in Massachusetts.