Such a huge topic. In my experience getting users to buy into their role in security is imperitive and it's also pretty difficult. We've all seen examples of machines that are left unlocked in open offices. We've seen corporate IT departments that have mandated the use of technologies such as smartcards for authentication.
Technical folk often ask about the cryptographic capabilities of devices drilling into the implementation details. And yet so many users seem to think that the best place to store their smartcard (when it's not required) IS IN THEIR MACHINE!
I've lost count of the number of bent smartcards I've seen as a result of living in machines.