It’s impossible to create a security system that removes the user from the equation. They are integral, and they have to be part of your security program. Security is defined by the individual. The minimum expectation you can have of your users is that they’ll operate in good faith. Avoid complexity because as soon as it’s introduced it drives problems everywhere. Instead, keep asking yourself, how can I make security more usable?
Individuals are suffering from alert fatigue. If you’re going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on. Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email.