Every where you look these days you see IT organizations that have dedicated some portion of their staff to being the patch police. They spend a fair amount of their days applying and prioritizing patches to help prevent the possibility of attack through a new vulnerability. Of course, nobody really knew much about that vulnerability until a vendor or some other organization told thousands of hackers about its existence.

But on a more practical level, the vast majority of the security issues that an IT organization has to deal with have nothing to do with something that somebody is trying to specifically do to them. Instead, they arise from the ill-advised behavior of users that inadvertently visit some site that is loaded up with any number of types of malware. And despite the best efforts of the makers of anti-malware software, there always seems to be one type of malware or another that squeaks through our defenses. And before you know it, the whole organization is infected.

Of course, a lot of those infections are things like zombies that hackers are using to create a network of computers that they can use to later attack a specific system. But most people are generally clueless about the existence of a zombie outside of occasionally noticing some degradation in system performance.

Worse yet, most security breaches have very little to do with hacking. A recent report from the Identity Theft Resource Center noted that of the 167 data breaches that exposed personal information of more than 8 million people, only 13 percent of those breaches could be attributed to the activities of outside hackers. The rest of the breaches are simply related to people basically leaving sensitive data on lost laptops or accidentally sending sensitive information to people that shouldn't have access to it.

None of this behavior is ever going to completely cease. But maybe the time has come to reinforce to end users on a regular basis what it means to be a good corporate citizen in terms of security awareness. That's the premise behind an offering called BreachLine from a company called MySecurity Plan. The basic idea behind BreachLine is to create a system that requires end users answer a series of questions about best practices for security and to confirm that they are aware of specific corporate policies as it applies to security.

This in itself is not going to eliminate security risks. But it could go a long way towards mitigating a lot of risky behavior. It would also go a long way towards showing the courts that reasonable steps were taken to educate people about security issues in the event that a security breach should create some legal liability.

There's a reason why we require health education in our school systems, and the same reasoning should apply to computer security. Health education is not going to eliminate disease, but it sure does reduce the number of people that get exposed to disease. It's high time we started applying the same concepts to the way we think about computing in the age of the Internet.