I agree with almost everything that was said by Steve Smith, with the exception that I do not think you should stress policies to users. You should stress Procedures, and why the procedures are important. All too often I see security presented as "It is important to protect information, and if you don't you will be fired." I prefer to see awareness programs say things like check for access badges and challenge people that don't belong there, or do not give out your password for any reason to anyone. This is as opposed to you are required to wear your badge or protecting your password is important. It is a fine line, but it makes a difference. Awareness briefings and policies tend to say that protecting information is important, without providing practical examples of how to do it.