The user needs to be aware of the tasks they have to accomplish and has to understand the risks and consequences if they don’t do it.

• Clear instructions and security policy - why are there security concerns?
  
• Use the right mechanism when required to avoid habituation and reflexes that could lead to a security risk (i.e : the user doesn’t read the pop up and closes it systematically) // If the user has developed a risky habit, maybe it’s because the design is flawed.
  
• Is the task easy enough to allow the user to accomplish it without looking for an easier and less secure solution? (shadow IT)
• The user has to remain confortable with the interface (usability!)
• Give feedback! The user has te be able to see as soon as possible there’s an error or a security issue, and be able to understand it. The sooner is always the better to prevent dangerous errors
• Security needs to be visible, but less secured and/or risky spaces have to be emphasized as well (i.e. : the green lock in Chrome is noticeable but nobody really notices when it’s not there…) // WYSIATI
• The security of a network or of a solution is a resistant as its weakest link. Random exploration can help in identifying it (user will do random exploration)

Useful references :

• Threat Modeling - Designing for security by Adam Shostack, 2014 ed. Wiley
  
• http://darkpatterns.org