Yesterday I was helping my next door neighbor set up a new laptop for his son. I am frequently called to service by my neighbors when they are in need of computer assistance, and gladly help them when I can.
As I was finishing up some work on his computer, he inquired about a computer he had seen me carrying into my house a few weeks earlier. He asked me if I had been able to rebuild it after the viruses had "messed it up". I told him that the reason I had to rebuild it was because the motherboard had died, and that my computers never get viruses. This obviously took him by surprise for a moment , and then he said "Oh, that's because you know what to put on your computer to protect yourself." I told him that I did not use any other "protective" software other than a virus scanner. This surprised him even more, since he too uses a good virus scanner, and since his computers, and the computers of most people he knows (and most people I know, for that matter) are constantly getting "infected". How do I do it, he wondered?
I gave him a simple analogy. If you take a civilian, arm him with a gun, and put him in the middle of high crime neighborhood, and do the same with an experienced plainclothes police officer, who do you think has the highest likelihood of not getting killed? "The police officer" was his answer. "Why?" I asked him. "Because he knows what to do to keep from getting killed.", my neighbor replied. "Exactly!" I said.
The officer knows how to avoid getting killed because the officer understands the threat landscape. I avoid getting infected, because I understand the cyber threat landscape. I simply never let my guard down in cyberspace, and despite the fact that I spend at least 5 times longer on a computer than my neighbor, I do not get infected by malware, viruses, popups, and any of the other annoyances that others I know must constantly deal with. I have taken the time to understand where the threats are coming from, and how to avoid becoming a victim of the threats. Sure, I use and recommend tools such as popup blockers and a good virus scanner, but those are there as my "backup". Most cops rarely have to as much as draw their sidearms, let alone have to use them. They take the time to understand the threat landscape, and go forth with that knowledge.
I wish that we could get the corporate customers we, as security experts, work with to buy into this notion. Nearly every one of them are more interested in what "product" they need to "get secure", and not in having us help them understand the threat landscape or "Threat Model".
Perhaps one day they will learn.