Don't assume people will read the security policy!
Just because the policy is posted, does not mean everyone will read it.
Policy, like any other communication, must be marketed. It is the role of the security professional to show the end-users the value and how it helps them. Make it personal.
References: SANS.org blog: How to Suck at Information Security