In the corporate world user security awareness programs seem to come in a variety of flavours. Two flavours in particular plain vanilla or neapolitan (these analogies will make more sense in a minute) merit further study. Businesses either invest heavily in technical solutions such as firewalls, intrusion detection systems, data leakage prevention or they adopt a layered approach in which people, processes, and technology all play critical roles. Hopefully, it's apparent that the plain old vanilla approach (invest heavily in technology) pales in overall effectiveness and cost compared to the vanilla, chocolate, strawberry approach of investing in people, processes, and technology (which I like to refer to as neapolitan).
Companies that rely mostly on expensive state-of-the-art technological solutions to protect their corporate kingdom are at a higher risk of exposure or breach compared to businesses that follow a more balanced approach. It does not matter how much or what technologies have been implemented for security's sake; without the proper investment in improving end users' security awareness or developing incident response processes the technical aspects are worthless.
A million dollar investment in security infrastructure can be shattered in a second when an uninformed user sends his/her domain credentials in response to a phishing email. If you're going to invest so heavily in technology at least protect your investment by keeping your end users informed of current security threats (in words that are relatable to them, not techie speak). If you could protect a million dollar investment by spending an extra couple of bucks wouldn't you do it? Think of it as an insurance policy. End user security awareness and applicable processes are the insurance on the expensive technology purchases.
The benefits of deploying user security awareness programs are numerous. They are inexpensive, not very time consuming, and deliver a high return-on-investment. It is important to not adopt a cookie-cutter approach when constructing the program as different areas of the business each view and use corporate data and technology in different ways. By customizing security awareness programs for different divisions/sections of a company, this increases the effectiveness of the program as end users are morely likely to understand (in their own terms) how their "computer" behaviour (online, data sharing, connecting to unknown networks) at work not only affects the corporation but themselves as well.
Scare tactics should never be used because they cultivate a culture of fear rather than one based on collective responsibility and accountability. Users that operate in fear are much less productive than those that have a collective identity and a sense of co-ownership with their employer.
Neglect end user security awareness at your own risk. Remember: the fate and security of any organization lies in the hands of its employees. Now will that be one or two scoops of neapolitan?