I had a conversation with a help desk coworker just this morning about what it feels like to realize you fell for a scam. He couldn't see how a reasonably smart person could fall for a particular kind of scam. I reminded him that he and I are immersed in tech. We're experts. We're good at our jobs.

But those users of ours who fall for stuff? They're good at their jobs too! They're just not good at our jobs. And when they realize they messed up and they call us for help? Don't you ever be unkind to them. They're well aware they messed up and yet they still called us. That's admirable, not shameful!

@puppygirlhornypost2@transfem.social @CrabbyIT@infosec.exchange

We've spent decades telling people "don't click on shit" while at the same time giving them more and more complex workflows that require clicking on all the shit and then we get mad at them when they click on the wrong thing because we told them not to click on shit, but their job literally requires clicking on shit.

We need to do better.

Empathy is the future of security.

@puppygirlhornypost2@transfem.social

@puppygirlhornypost2 @julie We are just happy they let us know they clicked on something sus.

It is our jobs to know and notice things too but like everyone else our workflows are complex and we are only human too.

I suspect most of us work collectively on our own demise by not treating security costs as inherent cost to doing anything.

By complying to build $thing with less security, rather than less $thing including security, we collectively set a standard for how much $thing can be built for how much money, security be damned.
There's a tragedy of the commons here.

This can likely be fixed by regulation mandating security practice. We know that from other fields of engineering.