Is it the end-users' fault they're so clueless?
Contradicting the knee-jerk self-righteousness that develops in experienced IT people is the PwC survey's finding that only 38 percent of large companies offer any security awareness programs; 54 percent of small organizations have similar programs.
Only one organization in seven that claimed to put a high priority on security even had a written security policy, let alone a training program.
Even at those high-security organizations, only a third of the staff understood the security policies.
So…whose fault is it?
Both. Users don't pay attention to geeks because security talk is a downer, IT people condescend and patronize comparatively non-technical colleagues and have little or no incentive in their performance-review goals, bonus structures or other reward systems for educating end users rather than scoffing at them.
IT people don't respect end users because…well, this is the Internet. There's not enough space to write all the reasons IT people don't respect end users and the kind of language that would be needed for an accurate description just isn't tolerated.
Sophos did something useful with its survey; it linked the pathetic snapshot of the attitudes of IT security people with a toolkit designed to jump-start employee IT-security training programs. It also contains a few horror stories from the IT people whose experiences contributed to the info in the kit. together.
The toolkit (direct download here) includes sample employee handbook, 10 tips for better security and better passwords, educational videos and documents to educate users and encourage them to buy in to the idea of security as a benefit rather than a chore.
Good luck on that last one. But on the other hand, good luck (seriously) on the rest of the items as well.
You can't blame users for not doing what you want if you don't explain it in the first place, and can't blame them much if you don't show them why a few precautions can benefit them, not just make some dour security diktator happy.
Oh, and while you're at it, buy something that will let you encrypt the data all those users are downloading to iPhones they'll be leaving on a plane or train sometime in the near future, hmmm?