At one place I worked there were two camps, one wanted to shame and publicize the culprits and the other that wanted to educate....(and in my opinion I reported to the worse)...the one that wanted to shame.
So the two groups argued extensively every time that a incident happened and fortunately (MHOO) we never shamed anyone. This proved beneficial when a C-Suite executive opened the wrong file.....can you image shaming a Sr. Vice President (not sure I would still have a job after that).
Once we went through an M&A, the new organization decided to air on the educate side (thankfully).
This education included sending "internal phishing emails", tracking the culprits and then providing departmental education (so no one person was targeted but everyone knew that someone in the group had done something wrong). We worked to change this so that Phishing became part of the ongoing Security Awareness training.
Probably an ongoing argument in many organizations.