In addition to implementing broader InfoSec education efforts (e.g. Securing the Human, assessments), we've built an interactive e-learning course using rapid authoring software designed to teach folks the tell-tale signs of phishing. If you'd be interested
in taking a look or discussing more, please email me and I'd be happy to share. It's not quite as flashy as the expensive simulations, but it gets the job done.
In terms of raising awareness and promoting informal learning, I've found that sharing any InfoSec successes of your community members is a great way to increase the relevance of security and to get people talking. For example, I commonly tell folks about
how our CFO received an email from the 'College President' that turned out to be a well-crafted spear fishing attempt. However, our CFO recognized it as an attack, followed the proper steps, and likely prevented significant financial loss. This article inspired
using community members' experiences: http://cybersecurity.oxfordjournals.org/content/early/2015/12/01/cybsec.tyv008.full
Lastly, you'll likely find some helpful resources from the HEISC page:
Outreach and Education Coordinator | Library & Information Technology Services
Bryn Mawr College
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.