How much depth is it really adding, though? Harassing non-specialists seems to have relatively limited value – plenty of security staff get phished – and there is a risk of making people think of the security group as adversaries.
I would certainly agree that the exercise could have some value but I think it would be wise to weigh that against the costs and especially to think about how you can make it supportive rather than punitive. In particular, most people are not only not given good tools for making untrained security decisions and many of them will be told to violate that advice regularly. For example, what percentage of vendors, outsourced HR, etc. will tell people to open unexpected attachments or click on links which are difficult to distinguish from phishing? SolarWinds was far from the only company training their customers to ignore security errors on installers, too.
I would certainly agree that the exercise could have some value but I think it would be wise to weigh that against the costs and especially to think about how you can make it supportive rather than punitive. In particular, most people are not only not given good tools for making untrained security decisions and many of them will be told to violate that advice regularly. For example, what percentage of vendors, outsourced HR, etc. will tell people to open unexpected attachments or click on links which are difficult to distinguish from phishing? SolarWinds was far from the only company training their customers to ignore security errors on installers, too.