You can't fix a human problem with a technology solution. Here are three reasons why user education can work and six tips on how to develop a corporate culture of security.
I strongly believe that end-user awareness training is a very important part of a defense-in-depth security strategy. While we need technological controls, controls will never catch everything -- and social engineers will always find new ways to trick users into doing things they shouldn't.
The bottom line is that you can't fix a human problem with a technology solution. You need to train a culture of security.
Unfortunately, a significant portion of the InfoSec community -- including some securitygurus I respect greatly -- disagree with me on this. They believe end-user education is worthless. Their arguments are wrong and here's why: