For your security awareness program to have a true impact, it must be a long term investment.  You cannot change behaviors, nor create a security culture, with just a one or two year program.  As such you need management's support for the long term.  One way that can help you gain that long term support by explaining the following. 1. Organizations are constantly bringing on new employees, contractors and part-time hires, you need to ensure anyone new is properly trained.  The staff you have now will be very different then the staff you have two years from now. 2. Standards and regulations are constantly being updated. The compliance standards you are required to follow today will most likely be very different then the standards you need to follow two years from now. 3. To keep your employees secure they need to understand the latest attacks and how to defend themselves.  However bad guys are constantly adapting and evolving.  What you teach them today will be different then what you teach them two years from now as both technology and threats have evolved. 4. In many ways people are like computers, they store, process and transfer information.  You would not spend two years keeping your computers secure then say 'that is enough'.  The computer's security would quickly degrade in the following months.  People are no different. If they are not continuously trained they quickly forget their lessons learned and their security quickly degrades.  In fact, in the 1800's German psychologist Hermann Ebbinghaus proposed the theory of the Learning Curve, identifying how people quickly forget lessons learned over time. If you have seen a different approach work, let me know at