What have you found to be the absolute most effective way to deliver security awareness training? What actually seems to work best?
Well written and I fully concur.
A gentle messing with an unlocked screen is fun and efficient, and if the company culture is good, others will follow the example :)
For the company-wide messaging we try to tell stories based on the real-world incidents and breaches. A good example was the recent Dropbox breach via CircleCI phish (GitGuardian wrote a great explanation https://blog.gitguardian.com/dropbox-breach-hack-github-circleci/); I told the story and used it to play a "what if" and encourage ppl to start adopting passkeys or dedicated MFA apps in favour of the TOTP. We achieved much more profound impact than if we "just" sent a note along the lines "please consider FIDO2, it's more secure than TOTP" – colleagues started to talk to each other about the topic, and that's almost as good as it can get :) (and yes our IT is following up and making sure people acted on the guidance...)
And for awareness to be effective, it must be tailed to the specific organization.
There are a lot of off-the-shelf SasS awareness platforms.
But if you don’t find the right one that speaks to your specific risks and talks to your specific employees, they will just play it in the background to get the CPEs. And not get any of the messages. And if that happens, it is completely management's fault.
https://cybersec.banyansecurity.io/s/october-is-cybersecurity-awareness-month-part-4-recognize-and-report-phishing-5625
On a mass scale, we always tried to use real situations that we had experienced within the company like imposters directing lower employees to route money, or similar spear phishing attempts.