I used to work at a large organization with annual security training requirements for all employees. It consisted of hours of ridiculous scenarios where the correct answer was always "don't open attachments from people you don't know and report anything suspicious to IT." I've often thought that requiring everyone to read "Ghost in the Wires" would be a much more effective way to show people how social engineering and phishing would actually work.
