And then you'll be known as the arsehole boss from hell and no one will ever want to work with you. Others will hide what has happened if they can. People make mistakes.
Case in point, 2 people from the same department come and tell me, independently.
"I got this invoice. I was expecting one. I'm sorry but I clicked on it but it did nothing". Too which I reply don't worry but it would have done something just silently. User walked off not fearing IT, I watched what the malware was doing (it just downloaded a file from the internet and created a task to run later. That, in testing, never did anything). Wiped the laptop, all OK.
"I got this invoice person 1 got but I DIDN'T click it".
Person 2 much higher up than person 1 so I trust what person 2 has said.
3 months later. Person 2 has a totally different issue with IE. I remember about the malware. The malware that created a task ONLY if you clicked the invoice file. That task was there. So all along person 2 HAD clicked the invoice but lied.
God only knows what that had been doing on the network for 3 months. That person should of just had a warning from higher up, not a disciplinary, just an education but because of their position all just went quiet.
Nothing ever came of the 3 month laptop infection. No longer work there but know the network is apparently still fine and no sign of the infection.