I recommend this article in the Harvard Business Review (Sept. 2015) entitled " Cybersecurity's Human Factor: Lessons From the Pentagon."
Amongst other things, the article outlines how the Pentagon recognized that minimizing human error is more critical than technical upgrades. The article details how, in nearly all penetrations of the .mil network, people have been the weak link; an individual who failed to upgrade to dual-factor authentication; clicking on questionable links in phishing emails; inserting infected storage devices in secure networks.
While the approach to bulding a secure IT culture throughout the organization may seem a little militaristic to some organizations, the lessons are universal.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.