Chris Hoff did two good posts over on Rational Survivability.
1: News Flash: If You Don't Follow Suggested Security Hardening Guidelines, Bad Things Can Happen...
Not so interetested in the VM stuff, but the idea that the press sensationalizes security talks, like a GSM cracker for $1000.oo, technically correct but not quite right... is right on.
how most of these exploits require that the sun be lined up right, the checkbox that is not checked by default is checked (or unchecked), and the user clicks on the links on Wednesdays between 2:00-3:15pm.
2: McGovern's "Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security"http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html
Post on leadership mistakes that seem to happen all over, his own list is pretty good too. I posted a comment on what we can do about his #4:
Awareness initiatives are good for sexual harassment and copier training, not security
I did a blog post about that earlier, if users are broke then we need to start incorporating SE and owning users in our pentests as well as teaching kids about the dangers of the net and how to not be so gullible. We also need to make security training more than the "ok everyone time for annual security training...just click through the slides and print out your certificate..."
It really all boils down to you never get a free lunch. if you can instill and internalize that, you'll never get taken for one of those stupid scams. Of course if i find the girl that outed me on my "member" size its gonna be fight time.