One of the biggest security concerns IT departments see in an organization is the protection of passwords. Many times end users aren't aware of the security implications that sharing or not protecting their passwords can have. In most organizations, policies are put in place, but often times the reasons behind those policies are never explained to the end users. It might be very convenient for end users to share a password with another end user when they call in sick or need someone to cover for them. Explaining the security implications of such practices will make sharing passwords much less tempting in those situations.
Another concern with password security is the fact that passwords are only as secure as your end users make them. A strong password security policy is a must, but this, too, is often misunderstood by end users. Passwords quickly become too numerous and lengthy for end users to remember, so the passwords often get written down and hidden somewhere.
To help end users come up with passwords that are strong yet easy to remember, I use this trick: When assisting end users with creating a new password, I suggest that they chose two characters to replace with numbers or symbols. For instance, instead of using the password Football, an end user could use the password F00tb/\ll. Replacing each occurrence of the letter o with a zero (0) and replacing each letter a with forward and backward slashes (/\) are easy-to-remember substitutions that help create stronger passwords. The end user can use these substitutions for every password change (e.g., F0rtun/\te), which makes remembering strong passwords much easier and writing passwords down less likely.
Believing that end users will blindly follow security guidelines simply because a policy in place is setting yourself up for disaster. An explanation and humanistic approach is often overlooked but can have a significant effect on password compliance in your organization.