Recently during an event at a University, I had the pleasure to participate in a panel discussion and it did not take too long until I was heavily in disagreement with the professors there. The reason? It became a discussion around consumer security and risk management. The claim the professors made was, that the consumer has to assess the risks of their actions.
Well, I am a believer today that this will not work (even though it would be preferable). I definitely agree that everybody should take responsibility for all the actions a person is doing. Nevertheless, there is a strong "but". Let's go back in history a little bit:
My grand-uncle was a farmer. Where he lived, nobody ever locked the doors - there was no reason to do that as there was nobody anyway who was interested getting into the house (at least it never happened) and he did not have too many valuables at home anyway. So he did a "risk assessment", looked at the "assets" and decided to do it that way. When my parents later moved to the city where I grew up, it was normal having the doors locked and using keys: Different risks, different assets. We learned risk management on physical security over thousands of years and generations passed their experience over to the next one.
Now, look at the Internet. I finished my Master of Computer Science 1992 and the Internet was never seen there during my studies. It was shown to me about 2 years later by a student doing his internship (and I thought that I will never use this stupid thing but this is a different story). My parents probably got in touch with the Internet 1998 - so 9 years ago and we really want them to assess risks with this amount of experience?
Additionally see how the threat environment changed over the last 10 years: The writers of Blaster, Slammer and Sasser have been mainly vandals bragging about what they were doing. Today we see the organized crime investing a lot of money to fool my parents into doing something they do not want to and how are they trained?
So, what can we do about that. I personally think that there are different layers:
I am sure that the next generation will address a lot of these problems as my kids are growing up with the Internet and they are using it just naturally. The challenge will be to educate this generation how to do "Risk Assessments" from th beginning. And with that we are back to Universities and schools. The teachers have to teach them (besides Math, Langugage,...) tons of different themes and they do not know about these problem anyway and therefore they do not address them. So it might take even more than one generation...