OPINION: Everyone's heard the stories about the user who keeps their network password on a post-it note stuck to their monitor. But how do you educate users about the risks in lax security?

It's all very well to have a watertight acceptable usage policy and firm principles on how to manage your enterprise's security. But the theory doesn't help if staff at your organisation don't play by the rules.

How do you turn all these great policies into something which is easy for users to follow, and not too time-consuming to manage and enforce?

There's only so many e-mail reminders you can send. The question remains, however, whether general employees in departments outside of IT understand--or in some cases even care--about the need for IT security.

For those who don't have much contact with technology, the restrictions and policies can seem overly draconian, or even unnecessary. Most people have heard of Web sites being hacked or defaced, but many employees don't imagine that this could happen to the company that they work for.

It's a catch-22 for CIOs and IT managers trying to educate staff. On the one hand, you don't want to tell everyone in the company about security breaches. But you do want to drive home the fact that the threats are very real and your enterprise is not immune to the risks.

How does your IT department think outside the square when educating users about IT security? What do you do when users aren't following your company's IT security policies? Talkback below or e-mail us your tips at edit@zdnet.com.au

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.