If security management wants people to think about security often, and the manager wants people to behave a particular way (like no tailgating, no credential sharing, no door holding) then the manager has to reinforce these VALUES regularly (think parenting). How does a child know what is important to the parents? Repetition, consequences and positive reinforcement are all parenting techniques that work well to modify behavior if applied consistently over the long run. One memo to your kids when they are six to keep their room clean will probably not produce consistent results over the long run. Similarly, business managers need to keep security as a regular topic. They need to provide the leadership to cause their staff to internalize the importance of the mission and to ensure each person understands what the specific expectations are for their behavior.
As the editor of SecurityInterviews.com I have an interest in other people’s interviews in the security space. One of the best interviews and frankly one I would have liked to have conducted in this regard: http://www.youtube.com/watch?v=8_VYWefmy34 but 60 minutes beat me to it….
An interesting paper: FBI Social Engineering Manual Revealed! Federal Bureau of Investigation (FBI) Monograph: Pretexts and Cover Techniques - May 1956 - http://www.mitnicksecurity.com/FBI_Pretexts_and_Cover_Techniques_May-1956.pdf