Such a huge topic. In my experience getting users to buy into their role in security is imperitive and it's also pretty difficult. We've all seen examples of machines that are left unlocked in open offices. We've seen corporate IT departments that have mandated the use of technologies such as smartcards for authentication.
Technical folk often ask about the cryptographic capabilities of devices drilling into the implementation details. And yet so many users seem to think that the best place to store their smartcard (when it's not required) IS IN THEIR MACHINE!
I've lost count of the number of bent smartcards I've seen as a result of living in machines.
... not against them. We can scream and crab forever about what people do ... useless. Maybe these cards should be auto-eject or something. Or maybe they are wrong, period ... maybe hardtokens are better which tend to be on keychains.
Anyway they get bent if you leave them in and then dont work!
If all the cards that were left in broke as a result then I'd be happier - I've seen many that continue to work perfectly well
I agree with James Risto's comment - work with them. As someone who works between an IT dept and the business I often find that if the users understand why they need to do something (in laymans terms) and the impact it has on them personally, then they will often buy in. If you tell them that by leaving their PC unlocked someone might send a malicious email to their boss that usually makes them think. But like most things in life you have to tell 'em three or four times in different ways (tell them, show them, let them read it, etc) before the message sinks in.