On Mon, Feb 12, 2007 at 01:45:41AM -0500, Sean Donelan <sean@donelan.com> wrote a message of 16 lines which said:
The important lesson is you can educate people. The content may have been bogus,
Right on spot: it is easy to "educate" people with simple and meaningless advices such as "Install an antivirus" or "Hide under the desk" or (my favorite, now known by most ordinary users) "Do not open attachments from unknown recipients". But most security risks do not require "monkey advices" (advices that an ordinary monkey could follow). They require intelligence, knowledge in the field, and time, all things that are in short supply. The discussion about the NPO who had the choice between breaking stuff that works because of patches or risking an attack was a very good one and the "IT manager" at the NPO was quite reasonable, indeed: the aim is not security (except for security professionals), the aim is to have the work done and, if you listen only the security experts, no work will ever be done (but you will be safe).
If you can come up with a few simple things to do, it is possible to reach most of the public.
Sure, just find these few simple things that will actually improve security. (My personal one would be "Erase MS-Windows and install Ubuntu". If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.)