Looks like I missed this the first time around but there is an article about a speech recently given by Peter Tippet, a VP at Verizon and a scientist at ICSA labs, who talks about how useless most security actually is. Most of his points are ones that I have been making for years like the uselessness of long complex passwords, all your doing is inconveniencing the user. Or how ineffective the continuous search for, reacting to, and patching of new software holes really is when you consider that only a small percentage of those holes are ever exploited. Do you want the highest rate of return on your security dollar? Spend it on the weakest link, the people. Security awareness training, while hard to quantify, will provide the biggest return in terms of security. If you can train your users to think about security as part of their everyday work lives your overall level of security will increase dramatically.