I agree with Schneiers view on security awareness training. It is hard enough for a security professional to know what browser to use this week, what filetypes to avoid after the latest 0-day or what techniques the adversaries fancy this month. Assuming that a non-professional will keep up to date with this is a mistake.
A more viable strategy would be to have a well trained cyber defence team, constantly adapting the policies and technical security measures to meet the current threat. A rudimentary knowledge, paired with the directive "If you experience something unusual, call this number", could prove sufficient as security awareness training for the non-professional.