I've been on a bit of a security throw back the past few days and I've bounced around the web reading, reviewing, relearning some stuff, which I'm happy to report, nothing has changed.  At all.  Not even a little bit.  Consider this blog entry by a security optimist.  He's hopeful there's a more better way to solve the security resistance, so I posted the following comment, less some unnecessary info.

Users are focused on their job, nothing more.  Security must be either transparent or enforced by the bosses/masses.  Take this example...

You have a 3 year old that's obviously sick.  At first, the idea would be to allow the child to take something to make him/her better, willingly, but after say, 5 attempts, the forceful method is used and the child gets better.  The child learns as bad as this is, it's better to take it willingly because in the end, the outcome is favorable.  Where's the gap? 

Security from a users perspective never goes from "sick" to "better" based on their actions.  It never went from "better" to "sick" based on their actions either.  This goes for most managers and home users too.  It's the "all of a sudden" syndrome.  Even worse, it's really hard to get back to "better" when the "sick" level has been reached, especially when things like credit cards, SSNs, etc have been compromised.  Bad day, UpdateResume();

The insane amount of work comes by making it transparent and necessary.  It's really easy to flip a switch and say "its on"; it's hard to have someone come into a room then a camera and a finger print reader decides if they're allowed to see the room and then the lights come on and the door opens based on that decision.  It's even harder to determine "what is necessary" and for what people at what time.  There's no magic formula.

I believe that in small shops, this is easily obtainable thanks to sense of ownership.  Large companies, not so much.