Comment by Kalium

I think there's a strong incentive for a lot of small-business people and software engineers alike to wholly blame attackers. If it's the attackers fault, you don't have to wonder if your insurance is good enough. You don't have to examine if you keep your software sufficiently patched. You don't have to examine if your company's custom internal infrastructure is resilient or if it's one giant shared CIFS drive full of sensitive customer data without backups.

Often, taking security seriously feels like directing a certain amount of resources for uncertain returns at a domain that feels like it should come for free. Software engineering feels like it is like manufacturing, where you produce artifacts and ship them. It's jarring to recontextualize this as actively engaging in an adversarial, human-driven domain.

Between the two, our fellow users are heavily incentivized to find ways that they and people like them are blameless. It's a way to avoid engaging with what can feel like an impossible problem. Without attackers there wouldn't be any cybersecurity issues, right?