Security Policies? What Security Policies?

Computerworld - I was having lunch with a group of IT department staffers when the conversation turned to the rash of virus-related worms that have plagued our organization over the past few months. Too many times, I said, an unsuspecting employee has opened an e-mail attachment from an untrusted source and introduced malicious code into our network.
To my surprise, one person asked, "How are we and other employees supposed to know not to open certain types of attachments?" I was stunned. We have an orientation program and policies that have been published to educate employees on the acceptable use of IT resources, I explained.
They looked at me with blank stares. None of the half-dozen people at that lunch table -- a mix of veteran staffers and new hires -- had ever seen our IT security briefing or the published security policies that I had labored so hard to produce. Yet we had posted the policies on our intranet six months ago, and they're supposed to be required reading for every employee.
In addition, I had given the human resources department a copy of our security policies and a PowerPoint presentation that it could use to explain them to new employees. HR was supposed to be using the slide show to brief all new hires during their orientation workshops.
What happened? Unfortunately, there isn't a procedure to require new employees to read the policies or a sign-off mechanism to ensure that they have read and understand them.
In addition to developing the presentation for new hires, my department had broadcast several e-mail messages to current employees, with a pointer to the IT security Web page that contains our policies, procedures and guidelines. That page had received just 560 views from a population of more than 6,000 employees.
I proceeded to follow up by scheduling a meeting with HR. The woman I spoke with was new; the HR representatives I had dealt with before had left the company. She said she had seen the IT security presentation but wasn't aware that HR was supposed to be using it. And her priority, she noted, was handling things like payroll and benefits.
She did assure me, however, that she would eventually review the materials and start presenting them.
Clearly, it wasn't registering with her that this might be important. So I explained how the recent virus outbreaks had consumed countless numbers of man-hours and caused much frustration within the IT department.
As it turned out, the HR staffer remembered someone calling her to schedule