But I hear your point and I do agree. User education alone won’t save us any more than it has saved us against pretty much any other “security” “crime” in our country (teen pregnancy, drug use, etc). It helps, especially when people are receptive, but we can’t assume everyone will be receptive.

At least with technology we have some absolutes, or as close as we can get to them.

Then again, we get down to how far can we take technology before users are no longer using computer systems but rather punchboards that do their 3 tasks and that’s it?

But it certainly does work whenever students/employees see a clear, personal benefit to learning the material, and the presentation is at a level they can understand. Example: If you can train someone how to reduce the chance of their system getting hacked by malware, they can readily appreciate the benefit of not having to go a few days without their system while it’s being repaired. Everyone listens to WII-FM (What’s in it for me?), and as long as security education addresses that question, almost everyone will at least pay attention, if not actually learn something useful.