How can you design your org’s security policies to more effectively drive awareness?

At least for German market employees shall consent on having read corporate policies on a yearly basis. This is the foundation to a certain extend that you can held them responsible and you made them aware of, even though its most of the time covered to some extend by the secondary obligation in labor law.

Keep the policies concise, and include or reference a website with samples so people can better understand certain scenarios / edge cases.

Using relevant examples to help underscore the importance of adhering to policies is key because it helps your messaging resonate. The MOVEit breach has impacted hundreds of companies and millions of individuals, so using that as a relevant example helps people understand the importance of using approved third-party file sharing services. Or, as another example, there was recently an executive in the legal services sector who, before leaving, copied a bunch of data to a USB. By using these real life examples, people can see why the policies are important and why they’re in place. Then you need to emphasize your obligations to clients as well as any regulatory requirements — that makes it clear that we're not just creating these policies for our health, they're meant to protect our clients, ourselves, and they’re required by law. It’s a matter of helping people understand the why behind the policies.