This report states that the commonly held belief within the cybersecurity community, that “users are stupid” is incorrect. The report argues that blaming users for cybersecurity incidents is counterproductive, as it only weakens the relationship between “cybersecurity professionals and the people they are ultimately tasked to support”. Instead, cybersecurity professionals should empathize with and empower users by educating them about good cybersecurity practices. Organizations should focus on improving the usability of their security systems. The report recommends that security systems should be designed with the user in mind and should be intuitive and easy to use. It also highlights the importance of user training and education to help users understand the risks and their role in mitigating them. By improving the usability of security systems and empowering users with the knowledge and tools they need, organizations can create a culture of security and reduce the risk of cybersecurity incidents.
