InfoSec Personnel Management

I found an article on Personnel Management and INFOSEC by M. E. Kabay which I like.  Its basically a paper discussing managerial techniques for managing employees in an organization from an InfoSec perspective.  I particularly like this analogy for how employees

What would you do if you discovered that an employee who used to occupy your current office still had the key? You would politely ask them to give it up. No one would question the reasonableness of such a request. However, when you remove access to the network server room from a system analyst who has no reason to enter that area, you may be treated to resentment, sulking and abuse. People learn about keys when they’re children; they don’t extend the principles to information security. People sometimes treat access controls as status symbols; why else would a CEO who has no technical training demand that his access code include the tape library and the wiring closet?