In today's environment users at all levels require training in cyber awareness. In some companies there is online training that is usually a course that goes over some of the threats in the computing environment. Others have people come in and train their users on what to do and not to do in regards to the corporate network. Then, there are those that offer no training at all.
Online training can be invaluable to a company that is hiring people on a regular basis. Though it may not give those going through the ability to ask questions or truly understand what is being taught, it does give a basic understanding of the threats that are out there. However, when going through online training many of them are configured to where you can attempt the test at the end, if there is one, as many times as it takes to pass. This is problematic as many times those that are attempting the training don't actual learn anything, they just skate by and do the bare minimum so that they can do their jobs. Instructor lead training is probably the best form though can be very costly and not necessarily beneficial by itself if you have employees starting throughout the year.
Instructor lead training does have its good and bad points. On the positive side you can have an extremely knowledgeable instructor that can show employees of all levels what can happen if you have too much information freely available on the Internet. Social engineering is one of the biggest weaknesses of many companies and if your employees have the details of their lives easily accessible through networking sites, then it can be just as easy to impersonate them over the phone. Not only that but you may also be able to utilize the information about them to craft a sophisticated phishing e-mail that has them click a link and provide you with more information then they want to. By using instructor lead training they can be exposed to these threats on a level that shows them exactly what to look for, and how to better secure their information. Beyond that, by seeing exactly what can happen by the instructor using tools such as SEToolkit they can get an idea of just how easy it can be to fool users. Another advantage of instructor lead training, is that personnel can ask questions to get a better understanding of the risks. Quite often employees to include CEOs, CFOs, etc. don't understand what/who they are protecting themselves from. Also, they can see what fake links look like and how to avoid them.
The downside to instructor lead training especially in the eyes of the decision makers is cost. Quality instructors can cost a company quite a bit of money. With that they have to look at the ROI and whether or not the costs outweigh the risks. If your users are prone to social engineering or phishing then this may be the route you would prefer to take as it is a better more concise form of training. Also, if user's in your network have access to PII then this may also help to prove ROI as access to even that user's account could cause a leak in personal information that could be quite difficult to come back from. In person training is something that would more than like have to be offered at least annually so that users can be kept up to date on the newer threats that may be out there.
This raises the question on what do you do for new employees that may have just joined the company after the annual training? The only way I have to combat that is to either use online training as a supplement until your next training, or have a consultant/trainer on contract that can offer classes any time you may need them. Either way training is a necessity and having someone that can answer questions that users may have is a must.