"high risk users" how do you drive the point home?

looking for advice, as this strays a little bit from typical IT ops.

working with a medium sized client (1100 employees) who have incorporated on boarding awareness training and regular phishing tests to establish security baselines/risk. This process runs pretty smoothly.

However, management now wants to be a bit more "forceful" with employees who don't complete the remedial training (if clicked) and "habitual clickers" (staff that click on everything). I tried to explain that it's not really up to my …

advice awareness awareness training baselines client cybersecurity don drive employees high home management medium phishing point process risk security staff tests training working