A better approach is to turn it into a game: reward those who report suspected phishing emails, security breaches, tailgating into secure areas, USB devices left around, etc. and have red teams doing this stuff periodically. Punitive measures don't really work. Friendly competition with rewards does work, though.
In our case we were educating and protecting our customers. It's usually bad policy to carry out punitive punishment on your customers. :)
In fact, the worst offenders were actually rewarded. They were the only ones who had two factor auth for their eBay accounts. Back then we didn't have soft tokens -- the only way to do 2 factor was to get a physical RSA token, which cost about $10 at the time. So only the "best" customers were worth the cost.
