ABSTRACT Because most of the employees are careless with information security, that will cause the security vulnerability in an enterprise. Although the company constructs the system with hardware/software for network protection, however, that is still indefensible. Moreover, the hacker may use social engineering (communication and cheat skills) to pass-through the firewall. The attack just costs several telephone-call fees but brings huge damage to an enterprise. Employees usually do not care about business about information security. They believe that such the issues should be handled by department of information, and this concept will cause unexpected damage. Consequently, the company (TS) (research objective of this study) helps employees to construct the essential of information security by importing the training courses of social engineering based on internal e-mail system, related practice and propagation are included. Therefore, this study comprises two topic listed below: 1.After performing the practice of social engineering, does the company (TS) successfully improve the employees’ cognition of such issues (ex. clicking e-mails)? 2.After importing training and propagation of information security, do employees actually understand the importance of information security? If yes, that can keep the enterprise away from the damage. Finally, we can verify and confirm whether the employees have learned about the importance of social engineering and information security or not by analyzing of questionnaires.