I would be happy if users just took the 1st step in the right direction and lock thier computer when they leave their desk. Once that is drummed in then we can start on password, email and Inertnet.

I have to say the way I managed to get a few people to understand was by sending emails from their computer when they had walked away. It had more impact on the people still at their desks when they suddenly saw how easy it was and they didnt want people sending from name.

We fortuneatly have a very strictly controlled Internet access and mailsweeper, many users can't get in to the situation when they might be installing or opening something they shouldnt be but for all that we still have to drum the importance of it all in to them. Too many users still consider a computer a "magic box" and untill that is changed getting them to understand security is going to be very hard.

sorry for the rant - having a bad user day