TL:DR - Sometimes security people make sweeping statements without considering how they will be interpreted, or their effects on people in different stakeholder groups. We need to stop saying "Security education and studies are a waste of time" when we really mean, "Developers should do a better job of building security into their technologies". For as many years as I can remember, security professionals have been arguing about whether or not security awareness training has value. Even still, security experts feel that individual users or employees should not be required or counted on to learn about security threats and vulnerabilities. Their rationale seems to be that security technologies should really be able to compensate for vulnerabilities well enough that humans should not need to worry about the risks they face. In fact, Bruce Schneier one of the most respected security thought leaders, has taken this position more than once. But I'm not sure that making these kinds of statements is helpful to anyone, except perhaps developers of security products.

Did you know?… While the blog column you’re currently readaing has all my posts from about December, 2015 to now, I actually have posted over 100 […]