Isn't it true? Don't we always say that there is a PICNIC problem (Problem in Chair, not in Computer)? When we talk about security we often talk about the user – and this is right so. But do we always give the user what he needs to protect their information? Look at this story: Sensitive military files left unprotected online. There is definitely a lot of – hm, stupidity is probably the wrong word but definitely carelessness in the way the users treated files and information. But additionally, do we give the user the tools at hand that help them to protect their information? We always tell them to use strong passwords (and get back the answer: I do not know any words of 12 characters with upper- and lowercase, numbers and special characters in), encrypt their files etc. but tend to forget that a lot of exactly the same user still fight with how to write a letter on a PC (which is a little bit exaggerated, I guess).

Internally and with a lot of customers we use Rights Management Services with a lot of success. One of the benefits (and of the very positive feedback we got from customers is that it is very user-friendly. So approaches like that might help to address these problems besides the training and awareness campaigns we definitely have to run as well. The only point I want to make (and made over and over again): We have to make this kind of technology to be used easily.

Oh, just by the way: In this article Employees Pose Biggest Security Risk I read that only 19% of the security persons believe in the effect of security policy training for users… I think that we need it but we need the rest as well

Roger