One of the key benefits we have been discussing of a strong security awareness program is not just prevention, but detection and response.  As humans, soon or later we all make mistakes, sooner or later the most aware of us can be caught off guard and fall victim.  As such, we also want to be teaching people that if they fall victim, how to detect and report it.  Just think, what would have happened if the victims of the recent RSA spear phishing attack had figured out what happened and quickly reported it to their security team?  As such, have your awareness program not focus on just how not to fall victim to social engineering attacks, but how to detect and report them, especially when employees fall victim.  Now, like any Intrustion Detection System, you have some tuning involved.  Before you start your awareness program, your NOC, help desk or security team is probably getting very few reports of social engineering attacks like phishing.  Once you kick off your security awareness program, you will probably have the opposite problem, every employee will be reporting every spam or phish that gets through your filters, once again not a good situation.  You need to tune the HumanOS.  As such, I recommend you have a policy in place like this.
  1. By default, when people identify phishing attacks, simply delete them.  There is no need to report.
  2. If people get a message that they cannot identify if it is an attack or not, then report it.
  3. If people fall victim to a social engineering attack, such as spear phishing, then report it immediately.
As with any other security control, security awareness always takes tuning.  However, when trained and tuned properly, people can become one of your greatest assets.