Clarification, please
The statistic that impressed me was the 95 percent who believed the story to be true. Im betting most IT experts would like to have that percentage of users believing what they say.
Believe? My users ask me what to do in a given context and I tell them. It's not a question of belief, more a simple case of an ability (or otherwise) to follow instructions.
Also, this confused the hell out of me :
You never tell anyone one what to do. You tell them what may or may not have worked for you. Sound familiar?
I don't quite understand the point here, my job involves almost exclusively telling people what to do, there's very little point implementing a system and then being vague about how it works or going all allegorical on their asses.
I get that in a wider context security education is a difficult thing to achieve, and appreciate the research from a consumer perspective, but in business users should do what they're told, it's work, that thing the company needs them to do in order to make a profit. The trick is to make sure you can catch it if they do it wrong then tell them again (in a security context that's blocking malicious websites and emails and a decent virus strategy), I can't see any mileage in this approach to educating business users about processes excepting what they learn from each other, making the whole point of the article moot, surely?
