The Battle of Thermopylae, also known as “The Hot Gates,” fought in 480 B.C. is often put in the context that 300 Spartans held off a huge Persian army. In reality, the 300 Spartans were not alone during the battle. Alongside of them fought Athenians, Thebes, Thespians, and a variety of other united Greek forces. All told, until the last day or so, the Greeks had a force of between 7,000 and 10,000 soldiers at Thermopylae. The key difference is that the Spartan warriors were bred as warriors – they were professional soldiers. The Athenians, Thebes and Thespians were soldiers, but most of them had other, full-time jobs, and fought in the army when they were called upon.
Your users are not Spartan warriors. They are developers, engineers, designers, craftsmen, lawyers, nurses and so on. They are not professional security geeks. They don’t think like hackers. Elevated security measures do not come naturally to most of these people. They all have real jobs to do which are NOT focused on information and cybersecurity.