Research in usable security commenced 10 years ago, when it was found that many users make mistakes using security tools, or shortcut difficult and cumbersome security procedures. But is "making it for users to do the right thing" sufficient to ensure that users comply with security policies? Based on a White Paper on "Human Vulnerabilities in Security Systems", the talk will argue that it is not, and that effective security design and operation must look at a bigger picture of managing human behaviour in organisations. Key drivers for malicious behaviour are dwindling loyalty and trust between organisations and staff, boredome, revenge, and a sense of entitlement, especially among executives. Key enablers are the complexity of current systems, security models (command and control) that do not fit modern, global organisations, and failure to use human intelligence in the detection of malicious acts. Key recommendations include business process-centred security models, explicit definitions of roles and responsibilities, improved security awareness, education and training programs, and the inclusion of security goals in psychological contracts and reward schemes.