You're users aren't ignorant drones, they are smart people (yes, you might believe the contrary, but my development year showed me this is a false perception). But they don't have enough knowledge to live up to their responsibility to protect themselves and, by doing that, protect others. We can't give users responsibility without the knowledge to live up to that. So we have to educate our users to be secure (and don't leave passwords stuck to their monitors), but that isn't enough. If our security measures make our software, the users tools, unusable. On the other hand: it has to be secure. So it must be secure enough and do everything to facilitate your user. In rule #7 I will explore this dilemma further.