One bit of advice that has been consistent from almost every person profiled in this book is their belief that more and better computer security education is needed. No one thinks that any perfect technology solution will become available any time reasonably soon that will preclude people needing to be aware of computer security threats and how to handle them. Some computer security “experts” claim that it’s a waste of time trying to educate end‐users, but most serious security professionals know that education for end‐users and staff can only help.

My current employer, Microsoft, forces all employees to undertake annual computer security training on multiple topics. One year, after we had been getting a lot of email phishing attempts, the mandatory training video included a well‐respected Microsoft employee who had been tricked by a phishing email. He was well‐liked and he worked in a field that required heavy computer security knowledge. In short, he should have been less likely to be socially engineered by a phishing email, but it happened to him. He shared his experience, including how he fell for the well‐crafted, targeted spearphishing attempt. It was wonderful to see one our technological leaders share that he was fallible, that he made a mistake, and how that mistake happened. He then shared that although he was personally a bit embarrassed about his mistake, he wasn’t too ashamed to call IT security to report the incident. It was a tremendously ...