Dr. Lorrie Cranor of Carnegie Mellon University spoke up about what the security industry consistently gets wrong at the National Cybersecurity Alliance RSAC Executive Luncheon held in San Francisco in March 2026.  

In a wide-ranging discussion with cyber expert John Elliott, an instructor with the NCA's Cybersecure My Business initiative, she explained how many systems today ask humans to do things human brains literally cannot do.  

When we punt security issues to the user, she said, "We don’t punt it to the user in a way they can realistically do it," and she mentioned how, for many years, we expected people to remember dozens of long, unique, and complex passwords.  

Cranor, who is the director of Carnegie Mellon's CyLab Security & Privacy Institute, has been beating this drum for a long time. Elliott, who said he was "starstruck" by Cranor, brought up the 2005 book Security and Usability: Designing Secure Systems That People Can Use. Elliot said the book changed his entire point of view on cybersecurity 20 years ago.  

In the discussion, Cranor mentioned several ways the industry sets up ordinary people to fail and what can be done about it. 

1. Think about making security easy 

Too often, Cranor believes we pass security tasks onto users that are difficult or confusing. She brought up the example of browser certificate warnings – 10 years ago, it was very normal to see them even in benign situations. As a result, people just "swatted them all away," she said. They also did that during the rare time of actual man-in-the-middle attacks. As a positive example of change, she noted that this is now often automated and no longer depends on the user.  

Today, she focuses a lot on how we approach passwords. She mentioned that password managers are an easy, scalable solution: "They do fail, but they don't fail very often" compared to reusing passwords.  

She said the longer-term goal is to eliminate passwords altogether and have people use devices to authenticate (with passkeys, for example): "We should be out of a situation where we need to have dozens or hundreds of passwords to remember." 

2. Awareness is still important 

Cranor still sees a lot of value in awareness campaigns, particularly around artificial intelligence (she didn't mention it, but an example is NCA's AI Fools, Stay Sharp campaign). 

"We’re entering a time now when gen AI can generate much more convincing phishing emails, as well as deepfake video and audio," Elliott pointed out.  

"The first step is to make people aware that this is happening and that the AI is extremely advanced," Cranor responded, but mentioned that she wants the industry to go beyond simple "be careful" messaging. 

"If I just spend all day being careful, I’m not going to do anything," she said, mentioning that she liked the idea of safe words for families.  

3. Cybersecurity can be fun 

Even though some of her pronouncements were dire and change has been slow over the decades, she still sees opportunities to make cybersecurity fun. She stunned the crowd with a dress patterned with bad passwords (like “jennifer”) she made herself – she even made a custom bad-password ball gown! She also wrote a book for children aged 4 to 6 to teach them privacy basics. 

When asked about the biggest way the industry misunderstands security, she said that “it doesn't conduct security tests with users when they test their products with users ... security is viewed as a little side piece." 

"Humans make errors, but they make errors doing things they shouldn't have to be doing in the first place," she opined.  

For Cranor, her hope is that systems become more secure so users have to do as little as possible.