Here’s an observation from my recent experience: users who are subjected to the authority of computer security schemes will relish the opportunity to defeat and/or work around those security schemes in equal proportion to how capricious those security schemes appear to them.
In my current situation, I am faced with the need to access a particular server that is behind a firewall, controlled by others. After several attempts to address the proper authorities in the proper manner — i.e. “doing the right thing” — and having been exposed to their seemingly arbitrary authoritarian methods, I’ve simply decided to give up, and use a technical fallback that allows me to achieve the same ends without their say-so.
I’m not suggesting that all authority is capricious, nor recommending trickery as a universal response. However it would do all computer security authority figures well to consider how their schemes appear to those that are subjected to them, for that, at least in part, will determine how effective they are.