Secrets and Lies and Beyond Fear are both excellent reading.
In many instances when interacting with security systems, people are transferring their volition to a software program. Are you really signing that e-mail? Of course notyou're asking the computer to apply a digital signature on your behalf . What if volition can be forged? Say a Trojan horse feeds a malicious document into the signing system when the key is opened to sign something else. We don't know of any attack like this right now, but could it happen?
Humans are poor exception handlers. They just want to get their jobs done and quickly grow frustrated when the computer becomes uncooperative. Computer mistakes are rare, and when they do happen, people simply don't know how to deal with them. They often disable or ignore alarms (this is why we don't really like intrusion detection systems all that much, they often go ignored) and rarely read the complete text in dialog boxes. Admit itwhen you see a dialog like this:
Doesn't your mind really process this instead:
Maybe you read and understand the actual question, but most people don't. Asking users whether they want to be infected has always proven to at best delay the problem. Given a sufficiently tempting selection of dancing pigs, and sufficiently detailed instructions for how to make them appear, users invariably find ways to circumvent just about any security measure you put in place.
Attackers know all about how people are vulnerable and have no qualms taking advantage of mistakes and fears. Learn and understand their techniques so that you can properly configure your people to build the strongest human defensive layer you can.