Two exploit vectors account for the vast majority of computer security risk inside most organizations: unpatched software and social engineering. If you don’t concentrate on these two areas, youre wasting your time. The fact that you’ll always have users who will click on anything doesnt absolve you from trying to educate. In fact, current evidence shows you cannot be a successful defender without a top-notch user education program. Training can target enterprises or home users, with specific content for both.”]
Source: https://www.csoonline.com/article/2920804/get-real-about-user-security-training.html