This CSO article takes an interesting, yet flawed, stance on user responsibility. There is true value in empowering employees with best practice-based knowledge to reduce the risks common without understanding. However, it’s important to acknowledge that there will always be a fraction of users either unwilling or unable to internalize the training. Blaming the user and requiring them to spend time and attention on something that is secondary to their work is troublesome. As such, a security model dependent upon training alone is doomed to fail. Instead, security systems need a level of resiliency—like our Passages offering that assumes human users will unintentionally click and do bad things.