Should they be held accountable for their scam-email-opening ways? Should we tell them off at assessment time, brand them with a mark of shame, or, just maybe, a third option: invest a bit more in decent security training?