In order to limit (hopefully avoid) InfoSec risk, we use controls. These can be technical or administrative.
Either way, they will involve humans who need to understand and accept the controls. In general, we may require people to wear seatbelts, pick complex passwords or quit smoking at work. Co-workers will find ways to circumvent controls that they’re not motivated to accept.
Any technocrat can pick the strongest control. A wise leader will consult and motivate his team before implementing it.
Read more about employee disengagement at Sonia Jaspal's RiskBoard.