We could take a human-centered or human factors approach to answering the question, “Why don’t we do what we’re supposed to do, and what can we do differently to get a better outcome?”
We'd have to drive conversation to the point where the rubber meets the road, by which I mean an action or behavior, performed by a person, which creates a particular harm. Assuming we could categorize the harms in a way useful for analysis (I'm not a cyber SME), we could use backward mapping as follows:
1. Describe the current activity you wish to change (a behavior which creates a definable harm such as leaving the device connected to a secure network, unattended; writing down passwords and leaving them public, visiting unauthorized websites, etc.)
2. State what is wrong with the current activity and what triggered the need to change it (the harm it creates)
3. State what improved activity you wish to see occur (proper/safe/SOP/etc. behavior)
4. Identify organizational/systems’ elements and operations which must be amended or substituted in order to enable personnel to implement the improved activity (this is an ecosystem/economics type question – what are the incentives for people to perform the harmful behavior?)
5. Develop plans to amend or substitute each identified organizational/systems’ element or operation, guided by the goal of enabling personnel to implement the improved activity (specific recommendations to change or prevent specific behaviors)
We could also analyze or portray ideas using the classic Fishbone diagram. "Effect" could refer to "harm." To identify behavior change/control ideas and make recommendations, we could agree effect refers to "protection," or we could flip the content from cause-effect to action-result.