I had a fascinating discussion with Mike Murray, principal at MAD Security, yesterday at a local ISSA chapter meeting. In his presentation, and in a one-on-one discussion afterward, he covered a lot of ground, but the two central points that kept coming up are 1: there is a somewhat predictable cycle to the ebb and flow of vulnerability and exploit; and 2: awareness training as most companies approach it is only marginally ineffective.