Implement user security awareness training — or don’t