Jakob Nielsen writes that “user education is not the answer to security problems.” His recommendations:
Encrypt all information at all times, except when it’s displayed on the screen. In particular, never send plaintext email or other information across the Internet: anything that leaves your machine should be encrypted. Digitally sign all information to prevent tampering and develop a simple way to inform users whether something is from a trusted source. This might, say, replace current stupid security warnings that people don’t understand because they expose the guts of the technology. (“The security certificate has expired or is not yet valid.” Aha. And what does that mean to a normal person?) Turn on all security settings by default since most people don’t mess with defaults. Then, make it easy to modify settings so that users can get trusted things done without having to open a wide hole for everybody. Automate all updates. Most virus software downloads new virus definitions in the background, which is a good first step. The automated patching introduced with Windows XP’s SP2 is also an improvement. Polish security features’ usability to a level far beyond anything we’ve seen so far. Security is inherently complicated, and it’s something users don’t care about (until it’s too late). The user interface requires the ultimate in simplicity. Heavy user testing and detailed field research are a must.