Comment by FerretFred

The crims have obviously worked out that it's much easier to subvert the "users" rather than have a head-to-head battle with IT. If a user (even a careful one) clicks on a link in an email, should they actually be held responsible for what follows, or is it the fault of IT/Security whose security setup allowed an email with a dubious attachment to make it through to the user?

I know many intelligent, conscientious, non-techy users who'd be mortified to think they enabled a ransomware attack - but is it their fault?