First, you can't solve every security problem at once with what amounts to a PR campaign. You can't even come close, so what you must do is avoid the sickness known as scope/feature creep. What you are trying to do is pick two or three top issues, and educate the user community about those two or three issues. In our case, we went with phishing, laptop/mobile security basics, and locking your screen when you leave your computer. That does not mean discussing PGP vs. NTFS native encryption, or who has the better passphrase generators. Those are interesting, but weren't germane to our main focus, and so they didn't make the list.
Mac and PC Installation Hell: Just Say No
Once you've decided your subject matter, then you have to decide on how you're going to present it. This time around, instead of a standard PDF/PowerPoint snoozefest, we went with movies. This gave us a number of advantages. First, we could make it humorous. The folks making these kinds of decisions decided to spoof "Men in Black." So, there is now film of me dressed up ala Tommy Lee Jones and glacier glasses talking about various security issues. (No, it's not going on YouTube.) Humor, as many an educator will tell you, is a valuable teaching tool. It keeps your audience interested, and if they're interested in what you're doing, you're halfway there.
Using video also let us illustrate problems in ways that carry far more impact than simply talking about them. Sure, I can write up a nice paragraph on how easy it is to steal a laptop or smartphone. But that will never be as immediate as showing someone how a random person can grab your stuff and be out of the room in under ten seconds without running, or how they can sit across from you on an open wireless network and start playing traffic sniffer games. Seeing these issues in such a 'real' manner has a lot more impact than just talking about them.
The same applies for locking your screen when you leave your computer. Again, I can write pages of pithy prose on this, but 20 seconds of video showing you what can happen? Far more effective. Over the long term, we can put this up on a streaming server (Quicktime of course, we already have two for free via Mac OS X Server), and on DVD to become part of new employee orientation. So not only do we make "Security Awareness Month" a bit less tedious, we can guarantee that new hires are getting the same message.
A further advantage of video is that it lets us not just explain how to lock your screen from a XP box, or a Mac, but we can actually show how it's done. I've had tons of thanks from my Windows users thanking us for the .AuWindows Key-L trick, even though it's dead simple. Just because you, as an IT person know a trick, don't assume that everyone else does too. Video also helped us be platform neutral. We didn't have to worry about the OS or the hardware shown, because it was immaterial to the task at hand.
Mac and PC Installation Hell: Just Say No
Top 10 Mac Productivity Enhancements
iPhone and Steve Ballmer
Using Vista and Linux on a Mac, Part One
This leads me to the next tip: Stay out of religious wars. While this can be seemingly impossible, if you keep your content platform neutral, it's really easy. For example, with the laptop theft issue, we simply ignored what kind of laptop it was. Smartphones, hacking attacks, all of it. We avoided OS security and the like, not because it isn't a valid security issue, but it wasn't part of the message we wanted to send. That's an important thing to remember: Don't let other people's issues muddle your message. Mac/Windows/Linux partisans all have their agendas, but don't let them become your agendas.
Since we're talking about messages, make sure the message youre sending is what people are hearing/seeing. It does you no good to talk about email security if you do so in a way that creates noise. It is better to present less information and a clearer message than vice versa. For example, with phishing, while you can go into details about URL spoofing, email client differences in phishing prevention, server-level issues, that's not going to help people deal with phishing attempts better.
In some ways, you have to crawl inside the heads of those you're talking to. If you're sending a sysadmin message to a non-technical audience, they're not going to get much out of it. Better to 'dumb down' the details so you give them more useful information that will help them be more secure, which will make your life easier by extension.
I know that this isn't a terribly technical, nor "Apple - focused" column, but sometimes, being a sysadmin, even on a Mac network isn't all Terminal and Cocoa. Everyone running a network will need to deal with user security education at some point, and hopefully, my experiences this time around will help you when it's your turn in the barrel.