The two most common goals I see in awareness programs are compliance and impact. The goal of compliance is to meet the requirements of certain regulations, such as HIPAA or PCI DSS. Impact means to reduce risk in your organization by changing employee behavior. To be honest I am far more interested in the second goal, impact. Not only is reducing risk more challenging, but I also feel a greater return on investment. But what does it mean to reduce risk, and what is good enough? Remember, no technology nor any solution can eliminate risk, we can only reduce it.
To the left is a diagram I like to use to visualize the value of security awareness (click on it to make the image bigger). The X axis represents the amount of effort you put in securing end users. The more time, resources and effort you invest the more security aware they are. On the far left is where most employees are today, totally unaware and insecure. This is not because they are stupid, this is because no one has taken the time to train them. On the far right is the security community, highly trained and aware. The Y axis measures your organization's return on investment. There is a sweet spot where you get the greatest return. Invest too little effort and your employees are still low hanging fruit (where most organizations are today). Invest too much and you are entering overkill. For some reason some people expect security awareness programs to turn end users into security experts. This is ridiculous. The goal is 'good enough'. The challenge with security awareness is determining what that 'good enough' is, where you get the greatest ROI. That is different for every organization.