Originally posted here by ZomBieMann77 and sponsored by Kraft Dinner - Cheesy, it's what's for dinner!
IF they are not tech savy do not confuse them with a bunch of tech jargon. Stick to the basics at first like password policy and no passign out information to people who they are not certain are part of the company. Cover some of the basics of social engineering. Also if they have internet acsess from thier terminals you may want to consider restricting sites to buisness related sites. Just remember that humans are often the weakest link in the chain of security..... god that sounded cheesey
I'll go one farther. Humans are ALWAYS the weakest link. Whether users, admins, engineers, or code writers, I'd say MOST problems come from human error at one level or another. Seriously...Slammer, Code Red, Nimda wouldn't have been the beasts they were for many companies if the proper standpoint on network traffic had been taken. It's called the Principle of Least Priviledge, but in another context. Why allow all traffic when you don't need to? "Useability", you say? Psshaw! Let them request ports be opened if and when they need them. (Let them eat cake!)

</rant> ok, so this isn't the most reasonable stance to take. But seriously, most problems come from the fact that people who made decisions did so without considering the whole picture, or without having the proper perspective and training.

Considering what you've told us about this group and environment, I am not sure Social Engineering should be a major point of the material. It should be covered, for sure, but don't bore them with war stories of Mitnick-esque activities.

I'd make sure they know how to reference file ownership and permissions, and what it means.
Code:
 -rwsr-xr-x root sys 1024 blah blah  bad-ass-ownage.pl*
This is a suspicious looking file, and they should recognize it as such and at least know what the permissions mean it will do.

Edit: had to fix the bits in that code block...you'd think I'd know where the damnanble suid goes! :P