Causal Awareness

One of the companies I worked with in the past once had fits because a significant portion of the internal user base failed to change their passwords from the system default. They implemented a nicely complex process by which you register, validate, and are then forced to change your password. Which is all very well and good ... you've reduced the risk caused by that one security hole.

But to me, this was a sign that the company needed to take some serious effort raising the awareness of its internal users about security risks. Seriously, if your users aren't aware that a default password is a bad idea, they certainly aren't going to be cognizant of the risks of, for instance, "social engineering".