A week doesnt go by where we read about some attack that is precipitated by bad user actions. Most security awareness failings are actually failings of security programs. The safety profession has been asking similar questions for years, and has achieved incredible success in reducing loss. This process saves many organizations millions of dollars a year, and in large organizations, possibly hundreds of millions a year. The remaining injuries seem to result from either people failing to follow policies and procedures or carelessness/inattentiveness.”]
Source: https://www.csoonline.com/article/2853448/do-you-create-stupid-users.html