We don’t really do security awareness training and rely on our technical solutions for IT security. (Firewall, spam filters, Intrusion Detection, etc.)
We gather employees for a lunch & learn and show them a slideshow of what to avoid when surfing the Web, in emails from unknown sources, etc. (usually in-house created “death-by-PowerPoint” training.)
We have employees view incomplete and disjointed security awareness training videos to learn how to keep the network and organization safe and secure.
We pre-select certain groups of employees, send them a simulated phishing attack, see if they fall prey to the phishing attack, and train them only if they fail.
We regularly test everyone in the organization and find the percentage of employees who are prone to phishing attacks. Next, we train everyone on all major attack vectors and keep sending simulated phishing attacks to everyone on a very regular basis.