Policy and security awareness are often lumped together and usually perceived as Awareness training on company policies. There is a delineation in topic and tactics as they are two related but different things. Policy is primarily created to protect the company from lawsuits, lawsuits, damages from lawsuits and lost productivity. Lack of policy ultimately impacts the bottom line. Traditional Training Programs fail due to the quality of the education and duration of the training sessions. In many cases, training fails to engage the recipients meaning they do not retain any significant information for them, all of them.”]
Source: https://informationsecuritybuzz.com/articles/security-awareness-programs-just-compliance/