The best training is personal experience
One prominent pharmaceutical company noticed an increasing number of the security incidents at the level of individual employees. This was assessed as a high risk with a potential impact on preserving the company's trade secrets and a possible high financial loss. The employees themselves represented one of the biggest threats to information security. We were selected to crosscheck the possibility of a data leak by compromising the employees' access.
With the help of various social engineering techniques, including simulated malware, we gained access information from every fifth employee. After reaching an agreement with the company's management, our specialists prepared a targeted proposal of security workshops for a wide range of employees, from ordinary field workers, administration workers, external workers, to the management itself. We adopted the content of the training to specific security policy, standards of the given segment, as well as durability training against common criminal techniques. Selected groups of employees were trained either on-site, or via electronic study program.
After some time we verified the gained knowledge by using similar social engineering techniques with different scenarios. Only in one case out of a hundred did we manage to get the access rights of the given user.