One of the things I enjoy about security awareness is that something that at first looks very simple becomes very complex. An excellent example is what topics you want to focus on for your awareness program. For larger organizations, or for organizations in different parts of the world, you may have to adjust your security awareness program based on different cutlures. An excellent example is SMS. Depending on the region, you may or may not want to cover SMS. If I was working with an organization based in the West, especially the United States, SMS may be low in my priorities. While SMS may be popular among the younger generation (especially teens) and some organizations, SMS use is nothing like the Middle-East. In the Middle-East the primary method of communication is SMS. I remember in one of my first trips to Dubai, I asked a good friend of mine who worked at the local telco to setup voice mail for my new mobile. After working on my phone for fifteen minutes he said he had no idea how to do it. I was soon to learn that almost no one uses voice mail in the region. If you want to leave someone a message, or you want to quickly reach them, you send an SMS. As a result SMS attacks, such as lottery scams, are extremely common.
You make think this is a basic attack but there are several things you have to take into consideration. First, when comparing the cultures of the West and Middle-East, the Middle-East is in general far less security aware. Based on awareness assessments I've done in both regions, I would estimate two to four times as many people fall victim to awareness attacks in the Middle-East. In addition, it is much simpler to launch a convincing attack with mobile phones. In many Middle-East countries you can determine by the phone number whether it is a land line or mobile phone, and in addition which telco issued the phone number. This makes it much simpler for criminals to social engineer victims. In addition, in certain countries each telecom is assigned a certain number they must use for the beginning of the serial numbers for all SIMs (similar to how each credit card issuer has a unique 6 digit Issuer Identification Number). Cyber criminals will pretend to 'know' the victim's SIM number, when in reality all they are doing is reciting the unique identification number for that telco. These combination of factors make SMS awareness a much higher priority issue for any awareness program in the Middle-East, while in countries such as the United States it may not be nearly the same priority. Long story short, what you may feel is not an important topic for one culture can be very important for another.
I would be interested to know what examples you have of culturally unique awareness issues and how did you address them?