What About the Authorized User?

There are plenty of security products on the market–from firewalls to IDS/IPS to NAC, etc.–that are designed to identify and alert suspicious events. Network traffic is being analyzed deeper and deeper in order to identify this type of traffic (a fair amount of which is correlated back to internal users some authorized and some not).

While I think these devices are necessary, I wonder what is being done both proactively and reactively to the offending user and, more broadly, the user population? Yes, there will always be malicious users regardless of what is done but I am curious to know what programs are directed at the user population from a security point of view.