Administrators can do so much, but social engineering has to take the rest of the slack up and help those people learn these things, and not just to sign a piece of paper to CYA, that to me is more dangerous than leaving them ignorant to the importance.

I’ve been through corporate security training, it was all of 10, maybe 15 minutes, sign the paper and go on with life. That kind of policy is to me weak, and only meant to appease attorneys. I realize there’s costs associated with training, but how do those compare to the costs associated with a breach related to uneducated personnel.