Good article on security awareness. One sentence summary: build your security awareness program, educate the users AND prepare that it WILL fail miserably.
"Some end users may help, but you can't rely on all of your users to do anything. End users are hopeless. If you use that as your first premise, you've got a better chance of building a truly secure environment."