Awareness programs should focus on informing people about the behaviors specified within the governance documents, not random best practices. A good awareness program tells people what they should be doing, not what they should be worried about. Assuming governance is complete, when faced with a social engineer who wants an employee to do something wrong, the employee would follow procedures and not fall prey to the attacker.
Before you address the people problem, you need to ensure you know specifically how you want the people to behave, and especially how you intend to inform people of those expectations. That is process. In the Process-Technology-People triad, it is where it all begins. It might be politically correct to say people come first, but it is still wrong.
Sign up for CIO Asia eNewsletters.