Clear indication that just because you were "trained" on IT security practices, does not mean you understand them. Training and random internal phishing needs to be regularly implemented to ensure comprehension is actual, and not just feigned.
You'd be amazed at how stupid people are, even with training. We used to do test Phishing messages to our users and we still had tons of people fail them...more often then not because english was a second language to them in other facities. I used to be the lead for physical security at my old location and I still had to write up people regularly for leaving doors propped open when they went outside for a smoke or whatever and this is with yearly refresher training that people signed when they where done with. I got friggen tired of dealing the stupidity and lack of support from management in punishing people (aka make an example of a person) so people would get the point.