Why data breaches won't go away
Why phishing won't go away
"Those who would give up essential usability to purchase a little technical security deliver neither usability nor security."
There is no prospect of us having online safety in the foreseeable future. The diagrams above show the stories around data breaches and phishing.
The infosec world does not have the tools, resources, culture, management, or incentives to fix things. The bad actors carry on getting smarter.
The IT security world as presented to us ordinary users is confusing, inconsistent, and unpleasant.
Several things are clear:
1. The victim-blaming ("silly users with their 1234567 passwords") needs to be challenged at every opportunity. It is unhelpful in the extreme.
2. Digital literacy needs to highlight Michel de Certeau's 'Arts de Faire / Arts of Doing' - ways of reclaiming our autonomy from the panopticon and bad actors.
3. We need tools and resources to fight back / hold our own against the tide of incompetence and malevolence.
4. There is no obvious source for good advice, training, tools, and resources that will be heard above the noise and used at scale.
The Robert Graham Project says "I think the most important security precaution is to lie to computers compulsively". This includes made-up user names, multiple email addresses, fake answers to security questions, and multiple mobile phone numbers. The recent (very good) UK Government guidance gets close but not close enough.