One of the first and most important lessons the risk assessor learns is that the human is the weakest link. While computers will never stray from their algorithms, the average user is naive and forgetful - making them susceptible to being socially engineered into disclosing sensitive information.
The average user doesn't see themself as a piece of the security puzzle - they believe that their data is sufficiently protected by immature frameworks, ethical corporations, and academia or affairs that are “too complicated” for them to participate in. As infosec professionals we know this is far from the truth - the compromise of an entire infrastructure can be owed to even the smallest human error. Yet our average user is unaware of the risk they carry, leading them to believe that anything they are allowed to know or do is inherently secure rather than simply being convenient for business operations.
Hackers are Scary recounts how a quest to make privacy and security a priority in the healthcare sector reveals this gap between theoretical responsibility and actual practice. Through the trials and tribulations in making health record fraud and medical device vulnerabilities an approachable topic, one thing becomes clear: that the average user is actually quite concerned, but does not know how to participate. At the same time, industry culture has a tendency to pass off this this gap of knowledge as the user's laziness or irresponsiblity. Only by creating an approachable dialogue with which the non-security savvy can interface with will they be able to learn how they fit into the bigger picture - both technically and culturally - and why it is necessary for them to take agency over the protection of data entrusted to them.