I agree with your POV and the decisions we have to make as a result. That said, users should be expected to learn computers if they want to use them. If not, they shouldn't be allowed to use them. Same policy I'd have with a buzz-saw in a shop.
So if you fall for email phishing attacks despite training, then you shouldn't be trusted with mass email rights. Likewise, the admins have an obligation to control those resources, and to train users. (If that's too hard to expect, then we need to find out why.)
Point is, users should get the blame for their fuckups-- when they fuck up. It's not an all-or-nothing thing.
I disagree. Unless the user is intentionally TRYING to break the system, it is probably not the user's fault. It is IT's fault for failing to make it easy for the user to understand.
For instance, how about if the login page says in big bold letters: "This is the ONLY page you should ever enter your password on." With this tiny change, moderately competent users are much better protected from phishing attempts that use something like Google Docs forms... although that still hasn't protected them from something like a hand-crafted phishing site. Other techniques can help with this: for example, you could offer a bounty: pay real dollars for the first person to report any phishing site resembling your login page.
Some steps are up to the user, but instead of BLAMING the user, make it EASY for the user.
So if you fall for email phishing attacks despite training, then you shouldn't be trusted with mass email rights. Likewise, the admins have an obligation to control those resources, and to train users. (If that's too hard to expect, then we need to find out why.)
Point is, users should get the blame for their fuckups-- when they fuck up. It's not an all-or-nothing thing.