[spdustin]

Excellent advice that I give my students, and readers here will be well-served in following it.

I don't even want to admit how many managers come back to them with "we mitigate that risk with user education, we have too many legacy (blah blah blah)." There's always some excuse, isn't there? Usually within departments, but once executive-level hears this sort of thing, they tend to at least investigate what the real risks are. So I'm adding on to your advice to other readers to suggest they "go higher" with their security warning.

Man, I wish we lived in a world where management understood that people are shockingly good at finding ways of not doing what they're told!