Excellent writing as usual, and I agree with everything you say. One point I would like to stress, about this and the other article you wrote about awareness messages.
For the last 6 months I’ve been doing non-stop security and awareness talks for small businesses — law firms, accountants, coachers, translation agencies, you name it. They are the audience you’re describing — the ones who don’t know anything about cyber security, and they don’t care. They do, indeed, believe that installing an anti-virus solves all of their problems.
What I found out that before any awareness message can go through, they have to understand. They have to care. And the only way to do it is to show them that a. It’s real, not some potential threat that might come one day, and b. The potential results for them, personally.
Simulations are the answer. Just like I did with employees for my previous company, I send fake phishing emails to my audience or to my students, before we even meet. I show them, live and on-stage, how they failed to recognize the threat. I show them what would have happened if this was real. Another thing I like to do in lectures is to set up a fake hot-spot, and see how many people connect, and then also show them how an attacker can control their mobile browser.
They get it, and then they are ready to listen.