> People are capable, and should be helped to make decisions based on all available information.
To relay a quote, with the source not being very important: "I'm not going to waste a dime on cybersecurity when my officers need bullets and armor." People can be intelligent and capable and have minimal (if you're lucky) bandwidth or tolerance for cybersecurity advice. It's not the crisis they see every day. The advice given to unwilling listeners has to be focused and prioritized.
And... Password leaks and therefore rotations aren't an issue if people are using a strong main password for their manager. Then a leak doesn't transfer to another account and the manager will loudly tell them when a password is found in breach data -- which lines up with NIST's modern advice of avoiding password complexity and rotation, since they've found it to lead to minimal (at best) gained security.
To relay a quote, with the source not being very important: "I'm not going to waste a dime on cybersecurity when my officers need bullets and armor." People can be intelligent and capable and have minimal (if you're lucky) bandwidth or tolerance for cybersecurity advice. It's not the crisis they see every day. The advice given to unwilling listeners has to be focused and prioritized.
And... Password leaks and therefore rotations aren't an issue if people are using a strong main password for their manager. Then a leak doesn't transfer to another account and the manager will loudly tell them when a password is found in breach data -- which lines up with NIST's modern advice of avoiding password complexity and rotation, since they've found it to lead to minimal (at best) gained security.