at employee orientation and never bring it up again, which is inadequate training. Awareness training teaches users not only what they can do to prevent malicious activity, but also how to detect attacks. So employees will gain a better idea of the prevalent attack vectors
In the long term, employees can and should be the "last line of defense." The reality is a determined hacker can get into your network -- period. Training your users makes the attacker's job harder, and if a network is difficult to penetrate, many hackers will move on.
Training should also apply to social engineering, or the art of separating private data from employees through confidence games, lying, or other non-technical approaches. There are no technical defenses for a social engineering attack, so in this case, user education is the only defense you have.
To be clear, user education is not a panacea. Adequate layers of protection should be deployed to eliminate separate points of failure -- including your users.
In terms of frequency and follow-ups, a strong education plan requires perseverance and consistency, even when employees make mistakes. I recommend that training starts on the first day of a new employee's orientation and it should continue monthly, with new lessons, quizzes, games, etc. Employees should be reminded of the acceptable use policies and tested to ensure they understand simple security defenses at least every six months.
For more information:
Information security threats expert Ed Skoudis explains how creating a security awareness program can help thwart the insider threat.
In this tip, security expert Joel Dubin offers a primer on in-house vs. outsourced security awareness training. 
