I was startled by fact in the 2014 Ponemon Research Institute and Security Innovation study. Few respondents reported customizing their awareness materials to the Finance department (only 10% did). But 66% customized their material for the IT department! This means that the effort to customize was limited to a small segment of the organization. This is a large overlooked area!
Customizing to the department
Customizing awareness material to the audience, down to the person, has a huge impact on attentiveness during training, and retention afterwards. Every example you show in training should be customized as much as possible. The more relevant to the department, or the person, the better.
Imagine showing members of the Shipping department a phishing example targeted to a specific department, like HR. On top of trying to absorb the phishing-related concepts and technical points, the students have to convert the actual content of the example to their own experience. This is an unnecessary burden on the learning process.
The same can be said for generic phishing examples. Students have to imagine what the generic example might look like if it was sent to them. Showing the Shipping department a Shipping department phishing example lowers the barrier to understanding.
Customizing to the person
I also think that awareness materials should go beyond that and be customized down to the person. This might only be possible if you are using something like CBT material that allows this level of personalization. But, in my experience with SelfPhish, if the examples use the actual name of the student (instead of John/Jane Doe, for example), attention and retention reach even higher levels.
Easy ways to customize right away
Yes, customization can be a lot of work, but there are ways to cheat a little. When showing phishing samples, for example, you could use company-wide emails (something that might be common to all departments/people), and for physical/personal behaviours, you can use a person, role, or department that everyone interacts with, like reception or the IT helpdesk.
Have you used something like this? Tell us about your experiences in the comment section.