another thing that is usefull is unannounced security audits. You call up a user, giver them a false name and try to get their password off them. If they respect the companys policies you shouldn't get it.
I used combine this with a monthly or bi-monthly report. Add a password scan with details on how long it took you to get 90% of the passwords in the company and most people sit up and take notice. Especially with things like 25 people out of 50 use "god" as their password. Basically what i am saying is moer or less the same as what has been said before educate your users and communicate the importance of security to them.