Cvoid had a post recently about The Real Problem with Information Security. The message there fits incredibly well within the ideas from my recent rant about user awareness. From Void's article:
"Security should be all-pervasive yet invisible to the average user. If it is too visible, too complicated, too anything, it wonâ€™t get any traction. So the awareness needs to be developed at the earliest possible moment. The awareness needs to come from the people who design and build these systems. Security should be built-in from the start, not grafted on after the fact to fix some symptom."
I don't know that there's anybody out there who would disagree with the importance of building in security at the beginning. It's much like the diet and fitness industry: we all know that we should get up every morning and go to the gym, and skip that extra piece of chocolate cake. But knowing the path is very different from walking the path, as Morpheus once said.
Even the most uneducated user would likely agree that they shouldn't open email attachments from unsavory characters, nor give out their password to the average person that calls them. But knowing the path isn't at all the same as walking the path. Much the same as they don't always go to the gym in the mornings.
What do people do when they want to go to the gym more? They get a workout buddy or a personal trainer. An interesting question: how can security be the personal trainer for the users in the enterprise?