Dont count on securing end users for system security. Instead, focus on better securing the systems — make them closed by default and build with a security-first approach.