Many things to do with security can be changed: you can change the firewall settings, you can change the locks, you can change process, you can change policy. What you cannot change is human nature. That’s why there are still stories in the press (read here) about people giving their passwords away in exchange for bars of chocolate.
Bruce Schneier, on his blog, says that he is “sick of this story.” I’m suprised this he’s surprised it’s still be reported. However, as he quite rightly questions, who’s checking that the passwords being given are genuine? I’m not sure that it matters – fact is that the easiest way through to compromising data will always remain the human factors. Whether that be through tail-gating, pretending to be an employee, or conning the information by holding a clip-board and looking important most people are gullable, trusting, and loath to question for fear of getting into trouble.
I saw the results of a test of physical security controls for an organisation that supposedly has very good security awareness. Every part of their office except the server room was compromised. How well do you think your office would do?