pardon my iconoclasm, but a twitter conversation with jerome segura and maxim weinstein got me thinking about this. it was sparked by maxim's blog post "stop blaming the victims" where he argued that we shouldn't be blaming people for failing to follow security best practices (such as keeping web servers up to date). personally i consider this to be a form of infantilization. i've argued against coddling users before but i want to expand on the idea here.
the principle and practice of not blaming the users basically sends them the message that they're OK, they didn't do anything wrong, and they can keep doing things the way they have been. this is a marked departure from many of the other messages we send users trying to get them to be more aware of security and to make better decisions in security contexts. that makes the "don't blame the victim" dogma a substantially mixed message. have they really done nothing wrong? often times there are things they could/should have done differently, things they've been told about in the past but still failed to consider. can they be entirely free from responsibility for what happens to them in such a circumstance? i don't believe so. do we really want to send the message that they did nothing wrong and don't have to change? how will we ever get people to take better care of their security if we do that? many people are poorly adapted to the realities of the modern world and if there's no force giving them pushes in the right direction they'll never improve.
more fundamental than that is the fact that victims are victims of the word "victim". by acknowledging someone as a victim we accept and embrace the notion of powerlessness that the word engenders. recognizing people as victims gives them a license to be victims and to remain victims. when someone is taken advantage of we shouldn't be treating them as some helpless and fragile thing, we should be helping them to become empowered so that they don't get taken advantage of again and again and again. by telling them they're helpless victims we rob them of the opportunity to better master their fates and gain confidence in their abilities. perpetuating the notion of the victim keeps the lay-person down.
therefore, not only do i think we should hold people at least partially responsible for the consequences of their actions or inactions (to blame the victim in normal parlance), but i also think we should blame the people who say "don't blame the victim". their well-meaning but ultimately misplaced mollycoddling holds people back and stymies our collective growth and advancement. we can never adapt if we're taught that we can't change our fates.