This, of course, is a trick question, as the correct answer is "both." If security is a coin, then on one side of the coin are automated security controls and on the other side is the "human firewall."
When it comes to minimizing your cyber risk, it is not an either/or situation. Organizations should implement automated security controls (i.e. the Mimecast Targeted Threat Protection family of services), and not overburden users with determining what are or aren't cyber threats -- in many cases, this can be done efficiently and effectively by security systems.
But because there is, and never will be, 100% effective preventive security controls (attackers are just too good for that), it is important to also continuously invest in the right user awareness at the right time that leads to increased security understanding and caution of your user community.
Why do I bring this up now? Anyone here in the community using Targeted Threat Protection - URL Protect, for example, knows that this is exactly Mimecast's philosophy -- the two-sided coin. User awareness during the teachable moment of clicking a link has been a built-in feature of URL Protect since the beginning. And now I am very happy to share that we have extensively revised and refreshed this capability to make it clearer, simpler, and really, almost a game for users to play as they go "clickety-click" on links in emails.
If you liked the User Awareness capability of URL Protect in the past, you should love the new capability. Check out the recently posted Service Update that discusses this feature in more depth and provides the current target dates for arrival on a grid near you.
We have been using it for about a month at Mimecast (yes, we drink our own Champagne!), and the response has been very strong.