As I read Security breaches: Blame the new guy I thought why not test who is prone to social engineering breaches by sending an internal spoof 'virus' that has no payload save for a counter of offenses? Of course, firms that would launch it would capture names and email addresses but that is acceptable so long as any penalty is reserved for repeat performances.

"Independent research conducted on behalf of SurfControl has revealed that almost half the HR and IT departments surveyed believe it is junior positions which expose the company to the greatest threat."

"... junior and temporary staff doesn't often feel the same degree of responsibility at work "mostly because they haven't been allowed and encouraged to share it.""

The untrained, inexperienced, and the guileless are the equivalent to the "serial buyer" prized by spammers and, formerly, telemarketers. These "serial openers" and proto-openers may or may not be the new hire or the pedestrian positions. Why not test to find out? Send out different style 'simulants' to see who responds to what.  I think that many firms will be surprised, especially when it comes to those who frequent P2P sites.