Traditionally in the field of security awareness, trainers have looked to the field of instructional design on how to develop their security awareness training. Models such as ADDIE provide a framework that build on how people think and learn. While such models are important, these may not be the only ones that apply to security awareness. Keep in mind, a large part of many awareness programs is not to teach people new skills but to change their behaviors. For example, people already know how to use email, we just want them to double check the TO address before hitting the send button.
As such, I think we need to move beyond just instructional design models and also be looking at behavior design models. For example with behavior design, motivation and ability are key. With ability, perhaps our goal should not be so much teaching new skills but on making the new behavior so simple that anyone can do it without training. I don't have the answer, but I do feel we may be focusing too much in one area (instructional design) and not enough in the other (behavior design).
