One of the most popular computer security jokes with multiple punchlines is, “If you want a secure computer, then:

• Lock it in a closet without a network card.
• Get rid of the keyboard.
• Get rid of the end‐user.”

Today’s popular computer operating systems (OSs) are more secure than ever. They come with fairly secure defaults, require passwords, automatically patch themselves, encrypt data by default, and come with a myriad of other features. This doesn’t mean they all have the same commitment to security or the same record of success. Still, the overall success of “secure‐by‐default” has reached a level where most hackers and malware have resorted to social engineering or exploiting a vulnerability that has an available patch that the end‐user has not applied.

This did not happen by accident. It took years, if not decades, of experience and security analysis for operating system vendors to figure out an acceptable line between too secure and too insecure. End‐users just want their operating systems to work for their intended actions without too much hindrance. If the end‐user gets too bothered, they will either try to work around the security feature, disable it, or choose an entirely different operating system. Many security commentators diminish any operating system that doesn’t choose the strongest possible security solution for every decision, without giving rationale consideration to the ability of the vendor to sell the operating system or appeal to end‐users. ...