One of the key aspects here is establishing the correct mindset, and ensuring that people are working for (or at least with) security rather than against it. Unfortunately, people are very often perceived as an obstacle rather than an asset in this regard.
Steven Furnell and Kerry-Lynn Thomson. From culture to disobedience: Recognising the varying user acceptance of IT security. Computer Fraud & Security, 2009(2):5–10, February 2009. doi:10.1016/S1361-3723(09)70019-3.
@article{furnell_culture_2009,
abstract = {It is often observed that addressing security can be as much about people as it is technology. One of the key aspects here is establishing the correct mindset, and ensuring that people are working for (or at least with) security rather than against it. Unfortunately, people are very often perceived as an obstacle rather than an asset in this regard. Indeed, to quote an Information Security magazine survey from a few years ago, one of the biggest hurdles for organisations to overcome in their attempts to address security is the problem of ``unalert, uninterested, lax, ignorant, uncaring end users''.1 One of the most prevalent problems when protecting information assets is the apathetic attitude, and resulting actions and behaviour, of employees. Given that the corporate culture of an organisation shapes the beliefs and values of those within it, it becomes essential to address the mindsets of employees and ensure that relevant security knowledge and skills are communicated to them. However, organisations cannot assume a uniform starting point; employees will have varying degrees of compliance that may evolve to become more compliant or more disobedient depending on the guidance provided by management. This article examines the levels of security acceptance that can exist amongst employees within an organisation, and how these levels relate to three recognised levels of corporate culture. It then proceeds to identify several factors that could be relevant to the development of culture, from traditional awareness-raising techniques through to context-aware promotion of security.},
author = {Furnell, Steven and Thomson, Kerry-Lynn},
doi = {10.1016/S1361-3723(09)70019-3},
issn = {1361-3723},
journal = {Computer Fraud \& Security},
month = {February},
number = {2},
pages = {5-10},
shorttitle = {From Culture to Disobedience},
title = {From Culture to Disobedience: {{Recognising}} the Varying User Acceptance of {{IT}} Security},
volume = {2009},
year = {2009}
}