Human nature and email attachment security
Dare's post about human nature touches on UAC in Vista:
How do you design a dialog prompt to warn users about the potential risk of an action they are about to take if they are so intent on clicking OK and getting the job done that they forget that there was even a warning dialog afterwards?
There are a lot more examples out there but the fundamental message is the same; if you are designing a system that is going to be used by humans then you should account for the various ways people will try to outwit the system simply because they can't help themselves.
After reading this, I thought to myself "Oh yeah, I should write up that blog about the first time we did the security patch in Outlook 98 which forced users to save dangerous filetypes like EXE/COM/etc locally before they could run it"... and then I realized that I already did:
It makes me laugh now to think back to the days of that very first patch, and all the hours I spent testing various scenarios, ensuring that the user was forced to save them to the filesystem first. The next email virus that came around after we released that patch, I kept track of all the copies I received from people inside Microsoft, and I looked at what version of Outlook they were running - and many of them were running that patched version. So they got the BillForNecklace.exe, saved it locally, and then ran it. Gotta love humans!