No one likes doing this, and general security professionals tend to not like providing it. Unfortunately it is a much maligned and underestimated part of protecting the security of the organisation. You will generally (eventually) patch your systems, upgrade your software and your hardware. But you will often leave your users alone after forcing them into a room with a PowerPoint slide deck that most will probably not pay much attention to.
in the times when I have had to give this type of training I have found that the one key is making the material relatable to the user. Put simply, the “what’s in it for me” principle.
Users care about their job and they often don’t necessarily see security as being part of their job. Forcing it to be part of their job is one approach, but it usually isn’t effective.
If you use the “what’s in it for me” principle you adapt the material to be relevant to their own use of IT at home.
Try turning:
“You need to ensure that the password you use to the corporate HR system is complex and unique”
into something like this:
“Hackers are constantly trying to gaining access to any accounts that contain personal information. They use tools which try every password combination in quick succession. Just like in this demo
[spin up prepared Kali box running Jack the Ripper or password hacking tool of your choice]
So to protect your social media account, or your bank account or our corporate HR system you need to make sure you have a strong password; and this is how you create one…….
This way users have a greater motivation to pay attention because it concerns something personal to them. The fact that they are likely to also apply it to the corporate system is the added bonus here.
At the recent Australian Cyber Security Centre Conference (ACSC 2017), the Chief Information Security Officer from Airbus Group, Stephen Lenco, gave an interesting session on the approach that he underwent to ensure cyber security awareness was ingrained in Airbus Group staff. The two areas of focus were on communication and connecting with the users. This is ably demonstrated in a number of the security awareness training videos they produced.
This is just one example. If you search on YouTube you will find a number of additional examples.
So basically, security awareness training is primarily an exercise in communication. You need to ensure that not only the content you need is present, but the message is getting through to your audience.