Nothing to do with intelligence either. Most people don't grasp the consequences of bad OPSEC, though they can fairly well understand why they should lock their door when away from home.
It was a funny conversation with a senior developer when I noticed he had his business card and his key card to work on the same extensible thingy that you clip on to your pants.
I remarked there's a reason why the key cards are unmarked, right?
It isn't just individuals who can't into OPSEC though. Soon after this conversation, the company created a policy saying you have to pay $10 to get a new key card if you lose your key card.
I thought that was stupid. Now, suddenly you have incentivized people to NOT report they don't have possession of their key card any more. We want people to report the instant they lose access to their key card, not three days later when they have exhausted all options. My understanding is that you can easily reactivate a key card if it is found again and the risk of unreported lost cards outweighs the cost of a new key card.
At a previous place, we had one single card for everything: enterprise restaurant, parking entrance, building entrance, Windows session, S/MIME signature & decryption... You were more or less unable to work without that card, so it was immediatly obvious if a card was missing.
I also agree with the conclusion (the risk of unreported lost cards outweighs the cost of a new key card).
