Ask Slashdot: How To Communicate Security Alerts?
I had to create a warning protocol/process about 15 years ago but it might work for you.
1. We color coded the warnings kinda like the first DHS warnings ... colors are associated with threat levels.
2. When a threat or a vulnerability became a concern, we sent out global company emails to employees, contractors, and clients. The emails had a standard format, including color-coded stationary.
3. We created a short PDF for each threat/vuln that was sent as an attachment with the global email warning. This was done with guidance from an authority like SANS or the CERT at Carnegie Mellon.
4. That PDF contained an explanation of differences between threat and vuln (like the difference between Storm Watch and Storm Warning).
5. That PDF contained info about the particular threat/vuln, what the company was doing about it, and what personal steps the employees should take at work and at home. They were encouraged to give these PDFs to friends and family, so as to educate as many people as possible.
This process was detailed in our Risk Assessment plan. which was in our larger Security Plan. I know not every company has these but, if you created the plan by piecemeal, you can eventually have enough material to put a full Security Plan together. Just remember to change up the warning levels. Don't always leave it at yellow or orange or you create user ambivalence, just like the reception the DHS warning system got from the general public.