Last week, Rich Bejtlich posted his common security mistakes to TaoSecurity. His points are all excellent and well thought out, however, I would add one more item to his list: Awareness.
It is very in vogue to say that user education must be eradicated [link to http://www.threatchaos.com/archives/2005/10/dangerous_meme.htm no longer works], will never work and is one of the dumbest ideas in computer security. However, all of the authors miss a vital point, and that is: If users don’t know what they are and are not supposed to do, it is no wonder that they break the rules and make mistakes.
It’s all well and good to believe that technology should protect the user and that argument works well for things like spam and spyware (even if the technology doesn’t), but that just doesn’t fly when it comes to policy based issues like sharing of confidential information or writing quality code. At some point, users need to understand why things need to be done a certain way whether for security, safety or just plain profit. How are they going to get that? Osmosis?