Most users are just a bit techie. Some more, some less. But as we all know, real cybersecurity experts are rare. Thus, it is best to assume that the ones you want to educate on cybersecurity awareness and response are no technical, nor cybersecurity experts.
However, with everyone of us being a user of devices in personal life, and everyone being in danger of cyber-attacks, cybersecurity awareness training has become way easier. The approach I take for several years now is to focus on what this means on the own device, in the personal life, and then to transfer to the business domain.
Everyone is receiving emails, from unknown people, from known people but with obscure email addresses, with strange topics, spelling errors, links or attachments. Demonstrating what to look at in this context, e.g., raises the interest of the audience and commonly triggers questions and discussions. Few samples from real life, both the personal life and the business life, help in increasing awareness and knowledge.
Instead of abstract rules, such concrete examples help, best by highlighting the fraudulent areas in such mails. From there to explaining “do a mouse-over across a link first, check the internet domain, and then – if all appears being safe, and only then – click the link (and only if there is a real value in doing so)” is a short step.
Another important element in my approach is to name the contacts to call when something looks strange, and to emphasize the importance of doing so instead of just acting by clicking links or opening attachments. Convince the team that no one ever has been blamed for asking. This is always better than making fundamental mistakes. Surely, the team has to react positively to the questions that will follow soon after the training (they are always raised, to my experience).
Last not least, you can add a little bit of tech content. My favorite subject here is explaining where in the Windows task bar to find the symbol with the current security status of the Windows system. This is a simple measure with very little effort that everyone can perform on a regular basis. If the symbol isn’t green, it then is about asking the experts.
By the way: My trainings rarely take more than 15 minutes (unless a lot of questions occur, but that then is a good sign), and can be easily done in 5 minutes (without questions), as you can see here (at least if you understand German).