Which topics should a security training for non-IT persons contain?
I actually did a presentation similar to this a little over a year ago, and spent quite a bit of time deciding how to structure it. My target audience did include developers and other people quite knowledgeable in IT, but also managers and other non-programmers, so I tried to keep it fairly general, and not to technically complicated. As someone else pointed out, I think one important thing is not to come across as boring; you want this to be an enlightening talk that helps people realize that this is something they ought to keep in mind, and not just another list of dreary tasks that will get in the way of actual work.
To this end, I tried to center the whole presentation around the concept of security culture instead of jumping straight into too many technical details. With that in mind, I still managed to touch upon many of the themes you mention in your question.
Some of the stuff I mentioned in my talk
(or would touch upon today if I was to hold another similar talk):
- Confidentiality, Integrity and Availability (CIA): The central themes of information security, and a few should-be-obvious words about why these are important both to your company, and to individuals (if you can give people a little guidance that will help them stay safer beyond the workplace too, then that is only a plus, right? It might also make some pay more attention to you too - especially if you touch upon the safety of their kids/family too).
- A few words about the concept of "security culture" ("culture" as in "a set of ideas, habits and social norms, common to a specific group of people", or something like that, and the idea that security awareness should be a conscious part of this).
- Goals of thinking about security: Reducing the risk of unwanted incidents, preparing to handle them if / when they occur anyway.
- Keeping cost in mind (or return on investment if you like); thinking about what measures will be easiest to get started with, and which make the most sense. I would include a few words about good habits here; such things as update your systems, use good passwords, and avoid clicking suspicious links, be conscious of physical security (tailgaters!) etc. Perhaps include a few examples from real-world events, including screen shots of news articles about breaches, etc?
- Throw out a few questions related to what type of vulnerabilities or threats might be relevant to your particular company, and more. Examples: What are the "crown jewels" of our business? What is most important to us, and what may threaten them? How secure are we today, how secure would we like to be, and how can we get there in the future? In what areas would we want to improve our security stance? The point here is not to give people a checklist of things to do, but to get them thinking about the whole realm of security in general, and help take responsibility for parts of it, themselves.
- Give a few examples of typical security guidelines, and ask your audience if any of them (or similar) should be considered for your workplace.
Oh, and one more thing: Including a few appropriate real world examples of security problems will help keep your audience entertained (but don't overdo it).
I don't know if this is exactly what you were after, but I hope it may be of some use. Good luck with your presentation.
None of the existing answers mention this and its too long for a comment even if its not a thorough answer.
One thing you will absolutely need to avoid engendering in your audience is nihilism (i.e. I will get hacked no matter what I do). Its quite easy to scare people s@#$less (and temptingly entertaining depending on circumstances). But big part of selling security culture, as you put it, will be convincing the audience that meaningfully improving security is both a) not overly painful and b) possible.
All too often the attitude I encounter especially among millenials is that security is impossible, or if possible then so difficult as to be unworkable. Hell, I know better and still feel that way at times myself.
I recommend that each real world example (whether story or live demo) be presented with some easy steps (preferably 'step' singular) to avoid the same fate.
It's so unreal for them
that the only way to have it stick
is by showing them by real life example.
Ask them: Who knows what phishing is?
Ask them: So what kind of information leaked would be Problematic?
They say: If document ThisIsImportant.doc with accounting info about customer C would be leaked.
Ask them: Who has access to ThisIsImportant.doc?
They say: Patrick
Then tell them: SO, lets all together send a phishing email to Patrick pretending to be Patrick's boss!
Open Terminal (with green font, important!) in front of their eyes.
LIVE "Hacking"! They Love it!
1) ssh into the mail-server
2) touch mail.txt
3) vim mail.txt
To: [email protected]
Subject: Patrick, I need customer C info.
From: Patricks Boss<[email protected]>
Dear Patick,
I'm a little bit in a hassle, as customer C just called.
Please send me ThisIsImportant.doc so I can prepare a response.
Best regards,
Your BOSS!
4) :x!
5) sendmail -vt < mail.txt
Now ask Patrick to open his email and everyone will see an email form Patricks Boss that you wrote in front of their eyes.
Lesson Learned for them:
They should not blindly follow a Name/Brand/Uniform/etc. and use common sense.
After that you can tell them all the other stuff because now they believe you how real it actually is.
A year later however, they will still tell the story of how you "hacked" partick by impersonating his boss.