But it depends on the user wanting to learn and us taking the time to teach them. Also it is up to us to test their knowledge in simulated real situations and use the results of those tests to determine where more teaching is necessary.

For example, besides the regular training and use of proxies and security suites, my employer occasionally sends out test spam/phishing/virus emails and it lies with the users to recognize and report those emails. Some people report them, some ignore them, and inevitably some fall victim to the test messages.