I have just been involved in an unannounced security test in the organization and had one hell of a fun week.
We first created some PDF documents with a neutered vision of conficker that would register on our antiviral defense. Then we created very official looking CD’s and mailed them out to a number of persons in the organization.
After this is was just a matter of waiting for the alarms to show up in the antivirus monitor and then call the perpetrator

You have no idea how many bad, stupid, funny excuses we have been served.

- “I did use a standalone machine to scan the CD and it did find the virus so naturally I thought that it was ok to use the CD in our production network” because as we all know, the antivirus programs can turn an ordinary CD drive into a burner, reopen a finished burned CD, remove the infected files, re-burn the CD and finish it again, all in a matter of seconds

- Another user inserted the CD directly into his production network machine, got the virus alarm, then removed the CD and gave it to his security manager of the department, who promptly inserted the CD into his own production network machine and clicked on all the infected files.

- One user got the antivirus alarm and promptly called his trade union representative

- One user insisted that because we had mailed him the documents (all with important and interesting sounding management report type names) he was now entitled to access to the “real” documents. He was unable (or unwilling) to accept that the documents were all fake and non existing and we would be hearing from his boss shortly.

- One user flatly denied having even heard about the CD let alone inserted it into our systems. He was on the list of people we had sent the CD

- One user first spend 45 minutes arguing his case, then called us back 3 times that day with new arguments that he had dreamed up

- One user insisted that we delete all reference to his name in our logs and would not accept that our organization are regulated by law regarding production environment logs and we cannot delete or edit them. He got very angry and threaded with legal action and physical violence.

The above is just a sample of what we got. I would recommend that you do the same but record the phone calls, They will make your day at future office parties and when you are bored