"A policy" would indeed be unwieldy. A culture of enterprise asset protection awareness and action would serve better, beginning with a rational, business-like attitude to security. We know all too well the astoundingly negative impact on operations that a failed or missing policy has. Without producing a siege mentality, Executive Management must take more seriously (yes, really) the revealed threats. The days of "roll-the-dice-and-hope" are long over, and simply playing games with event probabilities to justify doing nothing only brings operational misery and professional liability.
Policy(ies) development must emphasize asset importance (viz. most critical first...) and must drive cost-effective responses in both proactive and reactive technologies and methods. Re-education should be done no less than annually, but learning opportunities should be taken advantage of more frequently when specific issues present. As for assessing education program effectiveness, first: wade through a sea of potential metrics that seem to measure program performance of persons, methods and tools; b) select the ones that actually work to provide operational intelligence; c) apply them like you would any other operational metric to produce actionable intelligence that must drive action.
There is no simple, wand-waving cure for this; only the hard work required by anything this valuable and necessary.

Creating Just a single policy would not help, A statement to define the company's commitment for security, Than you make a make a complete information security program keeping in mind that an organization is made of people not just some financial assets and you deal with people who are your customer. The entire program of information security would be made in such a way, you keep everyone understand the need of security and why they protecting it. A program will include a complete Risk Managment, BCP, governance, Auditing and complete transpareny in the work processes. To prevent any risk to get realized, company must act proactively on the risk which are defined and alos those which are though to be very small but with larger risk and must include, tangile, untangible and people as assets. organization must also have a reactive managment system to act on the risks that have known to be exploited or with a monitoring of those have high probability of getting realized. Coming to educating people. While hiring people a psychological profiling of people should be done and according to their profiling their education must be done for example, few people are good at understading their work and numbers but does not realize the imporatance of security, some who can become insider threats or disgruntled employees. Techology can be put in the best use, but a single person not understanding the organization security commitmment and not being aligned to it, may do 1 silly mistake to bring down the whole company in many ways. organization must understand there has been and there will always be someone to target them, so always be ready for it and never put your guards down.

Hi Jon,
We are big proponents of the fastest growing "good practice" framework for security. The NIST Cybersecurity Framework (CSF) is a holistic set of policy and other internal controls that, collectively, form the most advanced enterprise-wide program initiative to hit commercial industry. Their Version 1.1 DRAFT was released in January of 2017 and it takes the concept of "Cybersecurity Convergence" to a whole new level. We are rolling out a suite of multi-user Control Self-Assessments (CSA's) so that companies can guage their progress in implementing not only the CSF, but also the cultural and process-driven change pieces entitled, "The NIST Baldrige Cybersecurity Excellence Builder" Framework. Both frameworks work together to deal with the questions that you have asked as well as many others.
In addition, if you would like guidance on the changes that are now taking place to retune or reengineer risk assessment practices, let me know and you can opt-in for free to receive it. Big changes are now underway, but there has been very little visibility on these new practices. www.GRCsphere.org
Best Regards and Happy Late Summer!
Phil Wilson
The GRC Sphere

Some good points raised here by the various posters. I'll simply add that this really begins with understanding the value of your organizations assets, and the dependency of the mission on those assets being accurate and available when needed. Understanding this fundamental piece will make integrating security and creating the necessary environment more manageable.

The short answer is you dont build a single policy becuase it would be unmaintainable and would never be read by anyone :). You build an information security management system (isms) consisting of policies, standards and procesures designed to be comprehensive but specific to your company's needs, most of the time I use the iso27001 framework for this. Its a significant piece of work though and needs yearly updating