Quarterly interactive testing is the only thing I have seen work. A common method is using Proofpoint + Fake realistic looking sites and emails. Get stats on how many click the links and how many put in corporate credentials. Proofpoint can do this or a company could make their own tracking stats.<p>Without embarrassing or punishing them ensure the ones that put in credentials get trained. The credentials should automatically sign them up for interactive mandatory online courses so they are not being embarrassed in a classroom. Reward the teams that don't get phished. Reward the managers, sr. managers, directors and sr. directors who's teams and orgs do not get phished. The higher level of management organization that is free of phishing victims, the higher the rewards. Incentivize the leadership to discourage warning others in company chat that a phishing test campaign is in progress. I'm sure the director of incident management at my last place is reading this. It's up to them if they want to share high level stats. I would not be allowed to disclose details but I do know this methodology absolutely works, at least in a place that has integrity and employee trust.<p>This of course only works for employees of a company because they have signed legal agreements that would permit the company to phish their own employees and have their own corporate attorneys that reviewed this process. Any other scenario should have a small army of lawyers review the plan.
You'll definitely encounter people talking about phishing your own users and enrolling people automatic training. I used to love this approach, but after years of trying it I am actually against it. More often, it serves to embarrass and annoy your users, and it teaches them to be overly paranoid. If you are a bank or something and your people are holding the keys to funds, then maybe that is good. But for everybody else, the cost/benefit analysis comes with a lot of cost (in the form of trust and morale) for that benefit.<p>The best way IMHO is to make a damn fun security awareness training. The best training I've done was basically doing running an "attack" against somebody and going through the whole process like an attacker would, but with the group as passengers and with explanations as I go. Seeing under the hood can be a lot of fun, and can be very enlightening.