The notion of security awareness is very interesting. Michael Howard, during his security development lifecycle presentation given at Denim Group, discussed some of the security classes he taught up in Redmond. These daylong classes were given to developers of different projects. The goal wasn’t to make them security gurus or even to remember the difference between, say, symmetric- and asymmetric-key algorithms (if that doesn’t take a security guru). The goals were to simply inform developers of common security scenarios and solutions. If they forgot the solutions the minute they left the class, that was OK, as long as that when presented with similar situations, they might recognize the scenario and perhaps Google for a solution (or, since this is Microsoft, perform a Live search).