Mike Rothman in his latest Pragmatic CSO Newsletter (I highly recommend subscribing) has a really good post up about our responsibility to ensure that user community understands why they should be adhering to established policies and not attempting to circumvent controls put in place to protect our organizations.
I left the following comment and now am going to reuse it as a post
I have been reading the book "Influencer: The Power to Change Anything" which I highly recommend. In it they posit that there are essentially six sources of Influence. They fall into two categories and what I call three strata. The categories are motivation and ability and the strata are personal, social and structural. Where motivation and personal intersect, the source of influence is defined as "Make the Undesirable Desirable."
If the general user community does not desire to adhere to or follow established policies and is actively attempting to circumvent controls, then we have failed to instill in them a desire to be compliant. It is our responsibility to influence them to change that mindset, in other words, to make the undesirable desirable.
So how do we do that? What you suggest exemplifies what the authors of the book have discovered. People are much more likely to embrace ideas when they have been shown the consequences of ignoring those ideas in a very personal and impactful way. I'm not saying that we should all use the specific scenario you suggest, although it would certainly bring
home the messages , but we do need to find ways to instill awareness into our user communities that is much more personal than "read this policy and sign this paper."