Hello Khawla
Even if you change the MAC address of the laptop, it is possible to set port security so that it allows only one MAC address. For ports that are not in continuous use, say a network jack in your lobby or your conference room, you can set that switch port so that it accepts NO MAC address at all. So it will only be enabled when you go in and allow it to be enabled.
Even if a malicious user unplugs a PC and plugs in their own, that port can be configured to work only with the MAC address of the PC. Now if the malicious user learns the MAC address of the PC and changes the MAC address on their laptop to match, then yes they will be able to gain access. However, in such a case, you can use 802.1x. In this case, on your laptop, you will be prompted for a password in order to enable the port and gain access. More information on how you can configure this can be found here:
I hope this has been helpful!
Laz