Security: Educate The Uneducated.

I posted this earlier today as a comment to an article I found here: [nobosh.com]
"No matter what network restrictions you put in place or what security policy you try to implement you can never protect the user against themselves. With social networks growing there is a rise in link sharing and email forwarding, not to mention drive by downloads and iframe trickery and the like that sit quietly on infected web pages. You can lock a whole network down as tight as you can, but you can never protect yourself fully from an uneducated user. Social engineering is still the biggest risk (in my opinion) to most networks, the more users the more risk. I guess my point here is that an educated user that can be trusted not to abuse policies and privileges is the best security tool."
Another user asked "How do we educate users?".
Good question.
My reply was in reference to a business environment setting where you would have departmental policies as access control restriction set. It was only after I wrote another response I realised that he might be talking about users in general.
There is such a broad scope of people that use the internet these days that it would be impossible to educate everyone and just plain stupid to try. The thing is that, most of those people don't want to be bothered hovering over a link and seeing where it goes, they definitely won't be bothered using something like noscript to block scripts from being run or executed.
I think the general public want the one app that does everything.... which is unfortunate because all of the ones that claim to do everything.... well, sure they can do everything, but there is nothing that they can do well. So for now we are going to have to stick to auto updating and integrity checking, but that's not so hard is it? Just click an allow button once in a while if you are pedantic like me and liked to be notified of all network activity.
That brings me to another point, which is how users cope with "learning" firewalls. I've seen a lot of people with the best intentions of reading the alerts constantly only to get sick of it after a couple of days and absent mindedly clicking "Allow" as soon as it pops up. To this I don't think there will ever be a remedy, especially if all of the users of that computer aren't aware of what do. You all know the sound, "Hey (insert name here), there's this thing on the screen that says blah blah. Should I click allow or deny? (insert name here)?". I'm not saying that everybody should be a geek and know exactly what they are doing, but rather every user should have at least some idea what the protection software wants them do do.
You could stand on a hill and yell "Free beer for everyone that keeps their software patched and up to date!" and still not everyone would do it, granted some may prefer wine or spirits but that's hardly the case. The truth is... most people don't care. They just want to use their computer and get on with their lives. I have nothing against that and to a large degree think that's how it should be. All I ask is that if you are knowledgeable about this pass this knowledge on to your freinds and co-workers. Set up their firewalls / IDS/ AV software / malware / spyware / detection / registry backup / patch schedule / OS updates / and whatever else they need (whew, just kidding).
When it comes down to it, help them once to avoid having to help them many times... if you get my drift.