Threats are exploited with a variety of attacks, some technical, others not so much.
Organizations that focus on the technical attacks and neglect items such as policies and
procedures or employee training and awareness are setting up information security for