The final, and most important, piece in client application security, however, is security between chair and keyboard (SeBCAK). The fact of the matter is that as soon as you put a computer in the hands of a user, you lose a lot of control over that computer. In the end, the user has to make security decisions, which means the user must have an incentive to make the right security decisions and must have the knowledge, training, and skills to do so. A while ago, we spoke to a consultant friend of ours about a security breach on a sensitive network. When asked whether the network was air-gapped, he responded that the network was not, but the users werebetween the ears. Although this is taking a bit of a glum outlook, particularly with respect to trying to blame users, the fact remains that users must take responsibility for security. This is the entire topic of Chapter 5, and, frankly, we consider that chapter more important than this one.