[jln]

> "train the users" is for me a 30 year mantra that no one out side of geekdom wants to hear

Perhaps a better approach to "training the users" might be for the University to actively attempt to phish its own users on a regular basis.

Those who fall for the phishing could be contacted directly, or have email access limited for some period of time (for example, a reduced sending rate limit).

Making self-phishing a regular occurrence (say, weekly) would train users to recognise and ignore it.

[mgkimsal]

I worked at a financial place that had people randomly roam around looking for 'open' desktops - people who'd left their computer unlocked. The random people would open MS Word and leave a big message on their screen that they'd been 'caught'. It was lighthearted but made the point, and people who routinely left their systems open were eventually dealt with more harshly.

My 'idea of the month' was to turn down the auto-lock time from 10 minutes down to 1 or 2. Wouldn't eliminate it, but generally, people at their desk were using their computer anyway, so it wasn't a big deal, and if you were called away and forgot, the auto-lock would kick in pretty quickly.