In addition to sharing the gritty details of attempted cyber-espionage and malware attacks, the executive said it's also a key to align any threat reports with larger issues that are currently affecting the company, such as compliance mandates and data loss laws.
"Take advantage of moods; that's something that is very important to how people make choices about risk," Stewart said. "If you hit them with something after a real incident, they most often will respond before incident amnesia occurs. If you catch them at a time right after something real happens, more often than not [business leaders] will bite."
Among the other tips that the CSO offered about sharing stories from the dark side is to leave out the real names of those affected to prevent potential fallout for those involved and for the designated storytellers to play up the juiciest elements of any incidents they detail.
"Scare them with real objective data, and they will start listening, but also feel free to sexy-up the stories," he said. "If you make it interesting, people always want to know the next story, so you should also have other examples at the ready."
Another useful method for making security threats more relevant to employees at all levels is to use peers to inform them how easy it is to get victimized, according to the Cisco security chief.
For instance, a worker who was victimized in a recent attack has become a regional spokesman for talking about security threats with other Cisco employees in the EU.
"If you have someone who does something wrong by mistake, to fire them for it is ignorant, you have to consider all the details because a lot of these things can happen to anyone, and its much smarter to allow them to help you educate," said Stewart. "Make the victim your spokesperson to tell other users their story; peer pressure is a very effective teaching tool."