Security awareness is still in in its infancy. As I work in this area I feel as if it is 2001 all over again, we are spending more time just making people aware of the problem then we are developing solutions. Since this field is still in its infancy there is a tremendous amount we can learn from each other. Whenever I present on security awareness I like to ask who likes their awareness program and what they like best about it. One of the common themes I continue to hear is people like customization. The closer the program is to their own organization, they more likely they will relate to and learn from it.
So what is the best way to customize your program? Well there are alot of ways, however one simple method is to present information on real threats to your organization that relate to a specific topic. For example, lets say you are teaching employees on how to use email safely. What can really help your communications is to show examples of past attacks. Perhaps you can present how many spam emails are blocked by your organization every day, how many malicious emails you think get through, or perhaps how many employees clicked on malicious links and got their systems infected. You can include this information in monthly newsletters, onsite presentations or weekly email updates. If you do share some details, I recommend you do not name specific people who fell victim or responsible for certain incidents. While the idea of a 'wall of shame' can have an impact, it can also create a tremendous amount of ill will.
If you have some success stories on how you customized your awareness program and the impact it had, I would love to hear from you.