Fellow blogger Jason Bevis set me thinking today with a paper suggesting that one might deliberately seed a 'mole' in a software development project team whose job is secretly to exploit his colleagues using social engineering techniques. The idea, then, is that the results of his/her underhand activities would provide enlightening and motivational fodder for security awareness/training sessions.
You'll see from the discussion on the paper that I'm dubious about the possibility of even being allowed to do this as a deliberate ploy, although I agree that 'catching people in the act' can provide good case study-type materials. I've suggested that similar information can be obtained openly using typical penetration testing, audits, management reviews etc., without the need for cloak-and-dagger stuff that can so easily backfire ... but what do you think? Would you try something along these lines?