people binary

A theme I sometimes  hear  from  people in the the security community is you can't patch stupid.  That "End Users"  are too dumb or ignorant to be secured. Wow, I can't think of a more unfounded, prejudice statement.  First, "End Users" are people like you and me, so I suggest we start calling them that.  Second, many  of the people I see organizations trying  to secure are very  intelligent.  These organizations include people such as engineers, accountants, scientists, lawyers, researchers, doctors and a myriad of other smart  people.  

In one extreme example I know a security  awareness officer whose organization is so highly educated that the average employee has 2.5 PhDs. Finally, most people I talk to are motivated, they want to do the right thing and be secure.  So if we are working with people who are both smart  and motivated, what is the problem? I think we the security community need to take a long look in the mirror.  You will quickly see that we are the problem.  

Think of people as another operating system, the HumanOS.  Now think,  what  have we done to secure this operating system?  Very little.  We've spent the past twenty  years investing in and focusing on just technology.  Now we need to take a step back and start focusing on the HumanOS.  We also need to understand that we simply cannot dictate to people what to do.  We need to understand who our  audience is and how to effectively engage them, which requires a set of skills most security professionals lack.  Ultimately it is our responsibility  to help our employees, not make fun of them.  Until we recognize this fact, people will continue to be the weakest link, and it will be our fault.