an item to add
-Failure to make security a 'habbit'.
Our company doesn't go in for punishments or threats, it will just inconvenience you if you violate security policy.
Leave confidential docuements out, they get confiscated and a note is left to pick them up at security.
ditto that for unsecured laptops.
pretty soon people get into the habbit as they learn that the inconvenience of following the policies aren't nearly as bad as not following the policies.
You could also add "failing to stress the importance of security. If you get the "Yeah, yeah" response, they're not taking it seriously.
Another place I worked would periodically try to hack your passwords.
If they succeeded, you would get an email detailing how long it took, and that your password had been reset. You would then have to go through a somewhat painful process to reset it again.
