Re: A fairly common example
I enjoyed a highly successful career as an Information Assurance Security Officer for a US military installation.
Highly successful in my book is not having accounts, users or data compromised.
Chief to that success wasn't brilliant strategy in firewalls, antivirus, patching or rolling bones under the right kind of smoke. It was educating the end user. It was also, as a last ditch effort, the firewalls, antivirus and patching (I'll not comment on bones and smoke, for fifth amendment reasons).
It was also reinforced by the pain in the dick method: End user gets infected or otherwise compromised (assuming no blackmail, as that was a criminal matter and handled by guys with guns and handcuffs), end user goes through the end user security awareness course. It is a mandatory course that takes a mandatory one hour to proceed through, with questions all along the way to ensure a real human takes the course.
It is also required annually for all users. Even myself.
So, once a year, I didn't want to even piss, it was that much of a pain in the dick.
We'll suffice it to say, the end user didn't re-offend, save once. That end user was reassigned by his commander, to infantry. (True story, even the installation commander took the damned course annually and once, twice in a year, due to clicking that which was trained against.)