When you are trying to teach a concept, it is always a good idea to show examples. But not all examples are created equally.
To add instant punch and relevance to a security awareness training module, show an actual, recent example of the topic that a Manager (or other high level member of your organization) had to deal with.
Follow it up with personal statements with what the Manager thought, felt, and did during the event. If such an example is not available from a Manager, pick from someone in the InfoSec department.
Doing this has three big benefits:
- it breaks the theory/reality barrier to make the message deeply relevant
- it shows the “tone at the top”
- everyone gets to see that Management deals with the same issues as everyone else
I’ve seen an entire room of people suddenly sit bolt upright when I switched slides from a generic phishing example to a real spearphishing attempt that the CEO had to personally deal with.
Have you done something similar? What effects did you see? Let us know in the comments.