A theme I sometimes hear from people in the the security community is you can't patch stupid. That "End Users" are too dumb or ignorant to be secured. Wow, I can't think of a more unfounded, prejudice statement. First, "End Users" are people like you and me, so I suggest we start calling them that. Second, many of the people I see organizations trying to secure are very intelligent. These organizations include people such as engineers, accountants, scientists, lawyers, researchers, doctors and a myriad of other smart people. In one extreme example I know a security awareness officer whose organization is so highly educated that the average employee has 2.5 PhDs. Finally, most people I talk to are motivated, they want to do the right thing and be secure. So if we are working with people who are both smart and motivated, what is the problem?
I think we the security community need to take a long look in the mirror. You will quickly see that we are the problem. Think of people as another operating system, the HumanOS. Now think, what have we done to secure this operating system? Very little. We've spent the past twenty years investing in and focusing on just technology. Now we need to take a step back and start focusing on the HumanOS. We also need to understand that we simply cannot dictate to people what to do. We need to understand who our audience is and how to effectively engage them, which requires a set of skills most security professionals lack. Ultimately it is our responsibility to help our employees, not make fun of them. Until we recognize this fact, people will continue to be the weakest link, and it will be our fault.