Listen, we all agree that the biggest source of risk in an organization is people.
The problem is, was, and always will be, what are we going to do about it. There's two different schools of thought on this topic that I typically see. One is to try to "train" the user. Constantly, and ever shiftingly, try to make the user more able to do security work. Treat every user in an organization as also security staff. The other option is to try to make it impossible for the user to ever screw up, often stylized as "do not punish users for clicking links on the link clicking machine". I think both of these two approaches have a dark side.
The dark side of treating users as simply security staff who sometimes make mistakes is to treat them as stupid for not knowing what to do. This sucks. I, as a security lead, got an email this week that failed DKIM, had a deadline in the subject, and asked for PII, so I marked it as spam. HR was very annoyed when I didn't get their urgent email. If I'm checking DKIM and still can't tell what's spam, it means that most of the staff aren't able to tell. So just adding more and more trainings, repeating training, and treating people as stupid for not getting it - that's not a really useful process. The training and belittling spiral is the death of your security program.
The dark side of trying to make it impossible for people to do the wrong thing is that it's very easy to treat people like cogs. Making people unable to learn or grow in their career, or worse, subjecting them to a permanent work panopticon. There's nothing that makes me feel worse coming into work than knowing that I'm being constantly spied upon, but there's a school of thought that this is good security, or even the only good security.
I'm going to not say that the best place is in the middle, I think that the making impossible for people to do the wrong thing side is correct - but I want to talk about how to do it without going down the dark path. I think the core topic of conversation should be about asking the question of what people are trying to do - and what do we want as a security team. For me, the most important question is to always ask why things are done insecurely, I think the answer is always intelligent and well thought it. I don't love saying it's all about incentives - process ergonomics are just as important. People hate clicking twice when the could click once, people hate using two portals when they could use one. People don't want to write a report. Even if their bonus depends on writing an incident report as quickly as possible, they probably don't want to do it because it sucks.
When I think about a security process I always try to do a few things:
Because we can't just secure computers