Humans
I suspect this report could be duplicated in most Western governments, + or - a few percentage points.
When something is inconvenient people tend to consciously and unconsciously try to avoid or circumvent it. Also we can have goldfish memory for the rules.
We consistently have people try to do things that the provided training explains is a bad idea. They justify it by telling themselves they are trying to be efficient or productive or whatever, but it usually boils down to "I do that at home and I haven't had my computer hacked". Of course they have no idea whether or not they have been compromised. For that matter we probably don't really know whether we have been compromised at work - but based on our users and just how many vulnerabilities there are I would be surprised if we haven't been to some extent. We certainly try to adhere to best practices, but sometimes funding and manpower dictate prioritizing what gets done. And there I go justifying!
Biting the hand that feeds IT
