Let me be clear from the get-go: maybe partially but never 100%. Hundreds of IT security companies have tried and failed, just look at the malware infections you are battling regularly. Moreover, the world of computing is rapidly evolving to where end-users define the boundary of your organization, each one of them individually "being the perimeter".
Human problems need first and foremost -education-, and when that is effectively done, you have created a change in behavior that can be measured and managed. You have created a "security culture". End-user Security Awareness Training is a very important part of your defense-in-depth, while you also need a myriad of technical controls to be in place to be secure (and compliant).
The problem is that social engineers are always a step ahead and you need to keep your users on their toes with security top of mind. That means ongoing simulated phishing tests of varying kind so that users at least once a month (twice or three times is better) get exposed to simulated phishing scams like Banking, Social Networking, IT, Government, Online Services, Healthcare, and Current Events.
Now, some security gurus disagree with this position and Corey Nachreiner over at DARKReading has a great article that looks over the counter arguments and takes them apart. If you think security awareness training is useless, read this article with an open mind and then tell me what you think?
http://www.darkreading.com/operations/dont-let-lousy-teachers-sink-security-awareness/a/d-id/1269529?
