How to we keep users aware of security concerns?

An organization can only be successful in securing its data and assests if it is a company-wide effort. Most security failures involve a technical failure(s) as well as a human failure, through social engineering as an example. One of the challenges that we face in dealing with the user community is that we need them to be vigiliant all the time even though the threats that we face come very rarely (or hopefully not at all). I have several thoughts:

1. Design systems to take the rarity of threats into account and design better "detection" systems in addition to better "prevention" systems.
2. Vary the reminders that people get about security so they don't become oblivious to them.
3. Make sure that we design systems so they fail safely.