So, this piece from AndyIT blog and his quote of SANS's Dr Ullrich, touch upon something deceptively obvious: just WHERE do we draw the lines between user vs IT/IS responsibility for security? In fact, the situation is event more complex: it is user vs IT vs infosec team! (and there is also a software vendor responsibility somewhere here....)
Let's go thru some scenarios:
- User and IT=0%, infosec=100% Result: failure of security due to technology limitations, lack of control over the environment as well as social engineering
- User=100%, IT, infosec=0% Result: trivial case, obvious failure
- Then it gets real complex real fast for the cases of shared responsibility ...
UPDATE: AndyIT answers it - "Probably something like Security=85%, IT=10% and Users=5%." See more of his follow-up post here.