Bruce has a piece on his opinion of security awareness training.
I cannot disagree with everything what he is saying, you cannot teach advanced knowledge or even basic security knowledge to all of your users. There is always going to be a few that don’t take it in for what ever reason or choose to ignore it. But what do you do? What can you do?
At minimum I would like to see users at point where they will stop and question something before leaping. Even if you can get %20 of users to not click on a link in their email, I still think that is a win. This is the only part I do not agree with. I think awareness training with users just to be an introduction and a brief and I mean a brief 10 – 15 minutes talk, just to explain the purpose of the complex passwords and who to call if something feels wrong.