Engineering for Stupid

We used to have a saying among computer engineers that went like this:  "You can't engineer out stupid."  The meaning, to those of us in security, is that engineering for security cannot compensate for every stupid thing that a user might do.  We have had people connect classified computers to the Internet.  We have had users send classified documents over the Internet (some very sensitive things too).  We have had some government officials use private accounts for public business.  No amount of engineering can compensate for things like that.  

The Defenders of Hillary wish the whole issue raised by Clinton's use of a private email account at State was that she didn't violate the law.  Nobody makes laws for stupid, anymore than we can engineer for it.  We always assume a certain amount of common sense - best practice, so to speak - that a responsible official will follow.  No agency writes laws for things like this; they only have policies.  Some senior people think policies are for other people.  Only a few confuse them with laws.  When you violate a law, police or investigators come and look.  When you violate a policy, your own internal IG comes.  They are not equal responses.