I think it\u2019s safe to assume that if you\u2019re reading this; you\u2019re probably a technology expert who has mastered the intricacies of poking around in unfamiliar products to see how they work. And yet, even with that wealth of knowledge, we\u2019ve probably all had the experience of interacting with some product that was so complicated and unintuitive that we had to seek help. Or we\u2019ve had to spend unexpected hours diving into the murky depths of settings menus, in order to fix some seemingly minor issue.Many of us may also have been conscripted into using our fiddling-expertise in support of friends and family members. If we\u2019re lucky, most responses to these requests don\u2019t begin and end with the words \u201cHave you tried turning it off and on again?\u201d But if that\u2019s the case, it probably means that we\u2019ve spent many long hours trying to sort out complex problems on someone else\u2019s machine. So we should all have an intuitive sense how frustrating and complicated it can be to get software to do basic operations in the way one would expect.With this in mind, we as experts should put ourselves into the shoes of users: given how frustrating it is to make basic operations happen, how much worse is it when you add obstacles like adversaries trying to trick them into doing things that will harm them, and security people putting up restrictions users don\u2019t necessarily understand? What can we do to help set users up for success, even when they need to do things that are considered risky behavior?Accentuate the positiveWhen we educate people about how to do something new or potentially confusing, it\u2019s a good idea to tell them what they should do to be successful, rather than what to \u201cnot-do.\u201d For example, if you\u2019re teaching someone to cross the street, it\u2019s better to use statements that positively describe safe action, like: \u201clook both ways before crossing.\u201d The kinds of statements we should avoid are those that negatively describe actions, like: \u201cdon\u2019t run out into traffic.\u201dThe first category of statement gives clear, explicit direction for what someone should do; the second leaves listeners to infer what action they should take instead. If someone is not experts, there\u2019s a very real possibility that they will guess incorrectly, and develop unsafe habits. And there are legitimate instances where people may really need to do an unsafe thing as part of their job description.Historically, a lot of the instructions we have given people about safer online behavior (I\u2019m absolutely guilty of this too!) fall into the second category: \u201cdon\u2019t click unsolicited attachments or suspicious links\u201d or \u201cdon\u2019t use public Wi-Fi.\u201d So, what should they do instead?Using our expertise to make life easierLet\u2019s take a deeper look at the first admonition: what should users do if they get an unsolicited or suspicious attachment? Security software is an important level of defense, but should not be the only one. They could potentially delete the message with attachment without opening it, or if they know the sender they could contact them to verify what it is, or they could take the attachment to a very restricted environment to inspect it safely. Obviously, the last option is the highest level of difficulty, and this would require the most preparation and education for someone to do so safely.Right now, a lot of malware attacks are taking advantage of the fact that there are specific job categories (Human Resources being one example) where handling unsolicited attachments is part of their job description. As security experts, we need to set our users up for success: we should be providing them with a safe, sanitized environment where they can quickly and easily take those files to run them without doing any permanent damage.Giving these users a \u201csacrificial goat\u201d machine that\u2019s totally separated from the network, where they can re-image to a clean state, is one way of doing this safely. Giving them a sandbox in which to run files, and a separate area of the network so that damage can be contained is another possibility. While this does require more work from us up front, it\u2019s a lot more pleasant than putting out fires after damage has been done.In the case of helping users safely utilize public Wi-Fi, we can provide users with VPN software, train them when and how to use it, and require its use to connect with company resources.Security is a department that often has a reputation for adding confusing limits on users\u2019 activities. While strong boundaries are important, it\u2019s time for us to focus more on creating safe ways for people to do what they need to do.