Building a Security Awareness Program: What Employees Really Need to Know

TL;DR

Over 80% of all successful cyberattacks exploit human weaknesses — technical measures alone are not enough.
Mandatory topics include phishing, passwords, social engineering, clean desk, mobile security, and data protection basics.
The most effective combination consists of in-person training, e-learning modules, and regular phishing simulations.
New employees must be trained during onboarding before they receive access to production systems.
Awareness becomes measurable through phishing click rates, quiz scores, reporting rates, and training coverage — track these KPIs continuously.

Why people are the decisive factor

The firewall is up, the endpoint detection system is running, and backups are regularly tested. Technically, your organization is well positioned. And then an employee in accounting clicks on the link in a deceptively authentic email that supposedly came from the CEO. Two hours later, the network is encrypted.

This is not a hypothetical scenario. Analyses from insurers and security authorities have shown a consistent picture for years: over 80% of all successful cyberattacks begin with a human action. A click on a phishing link, a too-simple password, a USB stick from the parking lot, a phone call where confidential information is disclosed. Technical safeguards can be as sophisticated as possible — they are regularly circumvented by human behavior.

This does not mean employees are to blame. It means they have not been adequately prepared. Security awareness is not a nice-to-have add-on but a supporting pillar of every information security strategy. ISO 27001 explicitly requires it in Annex A.6.3, NIS2 lists cyber hygiene and training as one of the ten minimum measures, and DSGVO (GDPR) also presumes that employees know how to handle personal data.

The difference between an organization that takes awareness seriously and one that handles a mandatory training once a year shows in an emergency. In the first case, the employee reports the suspicious email to IT. In the second, they click the link and hope no one notices.

What a security awareness program must achieve

Before we discuss topics and formats, it is worth looking at the objectives. A security awareness program should achieve three things:

Convey knowledge. Employees must understand what threats exist and how to recognize them. Someone who does not know what phishing is cannot identify a phishing email as such.

Change behavior. Knowledge alone is not enough. The goal is for employees to actually adjust their behavior in daily work. That they lock their screen when they leave their desk. That they report suspicious emails instead of ignoring them. That they verify unusual requests rather than blindly trusting them.

Shape culture. In the long term, the goal is to establish a security culture where information security is not a foreign element but a natural part of work. Where there is no stigma in having reported a phishing email that turns out to be harmless — where exactly this behavior is recognized.

The mandatory topics: what every employee must know

An awareness program does not have to cover all topics simultaneously. But there is a core area relevant to every employee regardless of department or position. These topics form the foundation and should be covered in the initial training.

Phishing and email security

Phishing remains the number one attack vector. Every employee must understand what phishing is, how attackers operate, and what characteristics reveal suspicious emails. This is not about the obvious cases with spelling errors and Nigerian princes, but about targeted attacks using the name of your own CEO or a real supplier.

Specific training content:

Typical characteristics of phishing emails (check sender address, question urgency, inspect links before clicking)
Spear phishing and CEO fraud as targeted variants
What to do when suspicious: do not click, do not reply, report to IT
How the reporting process specifically works in the organization (which address, through which channel)

An often neglected point: convey not only how to recognize phishing, but also that there is no shame in falling for a well-crafted phishing email. Someone who fears consequences will not report an incident — and that is far more dangerous than the initial click.

Passwords and authentication

The days when an eight-character password with one special character was considered secure are over. Employees must understand why passphrases are better than complex character combinations, why every account needs its own password, and why a password manager is not a gimmick but a security tool. The associated password policy provides the framework.

Training content:

Why password reuse is dangerous (credential stuffing)
How passphrases work and why length matters more than complexity
Setting up and using a password manager
Multi-factor authentication: what it is, why it helps, and how to activate it
What to do if you suspect a password has been compromised

It is important that the training does not stop at theory. Show employees live how quickly a six-character password can be cracked. Show them how to install and use the password manager. Make it practical.

Social engineering

Phishing is just one form of social engineering. Attackers also use the phone, personal contacts, or social media to obtain information or persuade employees to take actions. The training must cover the full spectrum.

Address the following scenarios:

The call from "IT support" urgently needing the password
The person posing as a repairman demanding server room access (tailgating)
The LinkedIn message asking a harmless question while gathering information about internal systems
The USB stick "accidentally" lying in the parking lot
Pretexting: when someone impersonates a colleague, supplier, or authority

The most effective defense against social engineering is healthy skepticism combined with clear processes. If someone on the phone claims to be the new IT employee and needs admin access, there is a defined way to verify that. These processes must be trained.

Clean desk and physical security

Information security does not end at the screen. Documents on the desk, an unlocked laptop in the break room, or an open server room are entry points no hacker needs.

The clean desk policy includes:

Lock the screen every time you leave your workstation (Windows + L — this must become a reflex)
Do not leave confidential documents in the open
Shred documents with sensitive content instead of throwing them in the waste bin
Approach and accompany strangers in the office
Check meeting rooms after meetings (erase whiteboards, take documents)
Pick up printouts promptly

These topics sound trivial but are constantly violated in daily practice. An audit usually reveals this within minutes.

Mobile security and remote work

Since the pandemic, many employees work at least part-time from home or on the road. This significantly expands the attack surface — the home router is not an enterprise device, and the cafe WiFi certainly is not.

Training content for mobile work:

Only use public WiFi networks with VPN
Use a privacy screen filter on trains or planes
No confidential phone calls in public spaces
Do not leave devices unattended
Separate personal and business use (why BYOD policies exist)
What to do when a device is lost: report immediately, enable remote wipe

Especially on the topic of remote work, pragmatism is key. You will not be able to require employees to equip their home router with enterprise firmware. But you can ensure they do not let their children use the company laptop for games and that VPN access is protected with MFA.

Data protection basics

Security awareness and data protection awareness overlap significantly. Every employee who works with personal data must know the basics. This is not only relevant from an ISMS perspective but also a requirement of DSGVO (GDPR).

Key topics:

What constitutes personal data and what are special categories
Basic principles of data processing (purpose limitation, data minimization, storage limitation)
When and to whom data may be shared
Data subject rights: what to do when someone requests information about their data
Recognizing and immediately reporting data breaches (the GDPR 72-hour deadline)

Beyond the basics: role-specific topics

Not every employee needs the same depth of knowledge. In addition to the basic training for everyone, there are topics relevant only to specific groups.

IT administrators need in-depth knowledge on topics such as privileged access management, secure configuration, patch management, and incident response procedures. For them, the basic training is just the beginning.

Executive management must understand their personal responsibility for information security, particularly under NIS2. They need to know which strategic decisions they must make, which risks the organization bears, and how information security is embedded in corporate governance.

HR department works with particularly sensitive personal data. In-depth data protection training and awareness for social engineering attacks specifically targeting HR staff (forged applications with malware attachments are a classic) are needed here.

Financial accounting is a popular target for CEO fraud and wire transfer fraud. Employees in accounting need specific training on these attack patterns and clear four-eyes processes for payment instructions.

Developers need training on secure software development (secure coding), OWASP Top 10, and the secure handling of credentials in code repositories.

Training formats: what actually works

The best awareness program is useless if it bypasses employees. The format is at least as important as the content. The good news: there is now a wide range of proven formats, and the most effective strategy combines several of them.

In-person training and live workshops

In-person training has a major advantage: it enables interaction, questions, and discussion. A good trainer can address the specific situation of the organization, bring industry examples, and directly engage employees.

The disadvantages are obvious: high organizational effort, scheduling coordination, and limited scalability. For a company with 100 employees at one location, this is feasible. For distributed teams or companies with shift operations, it quickly becomes complicated.

In-person training is particularly suitable for initial training, executive training, and topics that require discussion (such as balancing security and usability in daily work).

A proven format: 90-minute workshops in small groups (15 to 20 people) with interactive elements. Live demos of a phishing attack, jointly analyzing suspicious emails, discussing real incidents from your own industry. That sticks.

E-learning modules

E-learning platforms offer flexibility: employees can complete the training at a time that fits their workday. Modules can be repeated at any time, and participation is automatically documented.

Good e-learning modules are short (10 to 15 minutes per unit), interactive (not just slide decks to click through), and contain practical exercises or quiz questions. Bad e-learning modules are 60-minute monologues with a mandatory quiz at the end. The latter consume time and produce exactly zero behavior change.

When selecting an e-learning platform, look for:

Content quality and currency of modules
Availability in the relevant languages
Ability to add custom content (company-specific policies, own examples)
Reporting features (who completed what and when, quiz scores)
Integration with existing systems (single sign-on, LMS integration)

Phishing simulations

Phishing simulations are the most effective tool for measuring and improving not just knowledge, but actual behavior. Controlled phishing emails that look deceptively real but are harmless are sent to employees. Those who click are redirected to a learning page that explains how the email could have been identified as phishing.

The learning effect is enormous. An abstract training about phishing detection has significantly less impact than the moment you yourself fall for a simulated email and realize: that could have been real. This aha moment anchors itself sustainably.

Important rules for phishing simulations:

No blame and shame. Employees who click must not be publicly exposed or punished. This leads to real incidents not being reported anymore.
Graduated difficulty. Start with more obvious phishing emails and increase quality over the months. This gives employees success experiences and avoids frustration.
Regularity. Once per quarter is a good rhythm. Monthly can feel like harassment; semi-annually is too infrequent for a lasting effect.
Variation. Use different phishing scenarios: fake package notifications, alleged password resets, fake invoices, CEO fraud emails. Not always the same pattern.
Involve the works council. Inform the works council about phishing simulations in advance. In many organizations, this is required anyway, and early involvement prevents conflicts.

Micro-learning and continuous impulses

Between formal training sessions, micro-learning helps maintain awareness. These can be short, regular impulses:

Weekly security tips via email or intranet (one tip, maximum three sentences)
Posters or digital info screens in the office with rotating security topics
Short videos (60 to 90 seconds) on current threats
Gamification elements: quizzes, competitions between departments, rewards for reported phishing emails

The advantage of micro-learning: it keeps the topic present without taking much time. The disadvantage: it does not replace a thorough foundational training. Micro-learning is the supplement, not the substitute.

Frequency and rhythm: how often must training happen?

The question of the right frequency cannot be answered universally, but there are proven benchmarks that satisfy both regulatory requirements and practical effectiveness.

Initial training: Every new employee completes a comprehensive security awareness training before receiving access to production systems. More on this in the onboarding section below.

Annual refresher training: At least once per year, every employee should receive a refresher. This is also the minimum requirement that auditors expect. This training can be shorter than the initial one and should address new threats and current incidents.

Quarterly phishing simulations: Four simulations per year are a good compromise between effectiveness and acceptance.

Event-driven training: After a security incident, when introducing new systems or tools, when the threat landscape changes significantly, or when new policies are introduced.

Continuous micro-learning impulses: Weekly to monthly, depending on available resources.

A realistic annual program for a company with 100 employees might look like this:

Quarter	Measure	Format	Duration
Q1	Annual awareness training	E-learning + live workshop	90 min
Q1	Phishing simulation 1	Simulated email	-
Q2	Focus training (e.g., social engineering)	E-learning module	20 min
Q2	Phishing simulation 2	Simulated email	-
Q3	Focus training (e.g., mobile security)	E-learning module	20 min
Q3	Phishing simulation 3	Simulated email	-
Q4	Lessons learned and current threats	Live workshop or e-learning	45 min
Q4	Phishing simulation 4	Simulated email	-
Ongoing	Security tips via email/intranet	Micro-learning	2 min/week

New employees: security awareness in onboarding

New employees are particularly vulnerable in their first weeks. They do not know the internal processes, do not know which emails are typical and which are suspicious, and they are often motivated to respond quickly and deliver. Attackers exploit exactly this.

Security awareness training must be a fixed part of the onboarding process. Not optional, not "when there is time," but as a mandatory module before the new employee receives access to email, network, and business applications.

The onboarding awareness module should include:

Day 1 or 2: Basic security rules and the most important policies. The new employee must know how to lock their computer, whom to contact with questions, and where to report suspicious emails. Acknowledgment of the information security policy and password policy should be documented.

First week: E-learning foundational module covering the six mandatory topics (phishing, passwords, social engineering, clean desk, mobile security, data protection). Ideally with a short quiz at the end to test comprehension.

First month: In-depth training on department-specific topics. A new employee in accounting needs different focus areas than someone in production.

Document the completion of onboarding training carefully — ideally in an ISMS tool like ISMS Lite, which automatically manages training records with deadlines and escalations 500 Euro pro Jahr, without seat licenses. This is relevant not only for audits but also for your own traceability: which employee was trained when on which topics?

Making awareness measurable: KPIs and metrics

One of the biggest challenges with security awareness is measurability. How do you know if your program is actually working? Whether the investment in training and tools makes a difference? You need metrics you can track over time.

Phishing click rate

The single most important metric. It shows the percentage of employees who click on the malicious link or open an attachment during a phishing simulation. The click rate should decrease over time.

Typical values: in many organizations, the first test yields a 20 to 30% click rate. After a year of consistent training, 5 to 10% is a realistic target. Below 5% is excellent.

Important: do not just look at the average but also at the distribution. Are there departments that are particularly susceptible? Are there repeat clickers who need targeted remedial training?

Reporting rate

At least as important as the click rate: how many employees actively report a suspicious email to IT? A declining click rate with a simultaneously rising reporting rate is the best sign that the program is working.

Measure both the reporting rate during phishing simulations and the number of reports during normal operations. A rising number of reported suspicious emails is not a problem — it is a sign of an alert workforce.

Training coverage

The percentage of employees who completed their mandatory training within the designated timeframe. The target should be at least 95%. Anything below suggests organizational problems: missing approval from supervisors, technical barriers to accessing the e-learning platform, or simply a lack of commitment.

Quiz scores

If your training modules include knowledge tests, track the average scores and their development over time. Pay attention to questions that are frequently answered incorrectly. This shows you where knowledge gaps exist and where you need to adjust.

Incidents involving the human factor

In the long term, the ultimate metric is the number of security incidents attributable to human error. This number cannot be directly attributed to the awareness program — many other factors play a role. But a downward trend in combination with the other metrics confirms the program is working.

Dashboard and reporting

Consolidate the KPIs in an awareness dashboard that you regularly present to executive management — ideally as part of the management review. With ISMS Lite, these metrics can be generated directly from training data and incorporated into reporting. This makes the program's value visible and secures support for the budget.

A simple reporting format:

KPI	Q1	Q2	Q3	Q4	Trend
Phishing click rate	25%	18%	12%	8%	↓
Reporting rate	10%	22%	35%	48%	↑
Training coverage	87%	94%	97%	98%	↑
Avg. quiz score	68%	74%	79%	82%	↑

Tips for training that does not bore

Let us be honest: most employees view security training as a tedious obligation. They click through the slides, answer the quiz questions with minimal effort, and have forgotten everything after a week. This is not the employees' fault. It is the training's fault.

Here are principles that make the difference between a training that sticks and one that is immediately forgotten:

Real stories instead of abstract theory

People remember stories, not bullet points. Instead of "Phishing attacks can lead to data loss," tell the story of the mid-market machine manufacturer that experienced three weeks of production standstill from a single phishing email. Anonymized incidents from your own industry or even your own organization have the strongest impact.

Short and focused

A 90-minute mandatory training once a year is less effective than six 15-minute modules spread over the year. Attention span in training is limited. Keep individual modules short and focus on one topic per unit.

Interaction instead of lectures

Let employees analyze suspicious emails instead of reading them checklists. Show live demos of how an attacker operates. Let them discuss in small groups how they would react in a specific scenario. Every minute employees actively participate is more valuable than ten minutes of slide karaoke.

Humor and lightness

Security training does not have to be deadly serious. A relaxed tone, humorous examples, and a trainer who can laugh at themselves make the topic more accessible. This does not mean the content should be superficial — just that the delivery can be enjoyable.

Relevance to daily work

Avoid abstract concepts and instead show how what is learned affects the specific daily work of the target group. The accounting employee does not need an explanation of TCP/IP, but they need clear instructions on how to verify a suspicious payment instruction. The field sales employee does not need a slide about network segmentation, but they need to know why they should activate the VPN in hotel WiFi.

Positive reinforcement instead of fear tactics

Fear motivates in the short term but leads to avoidance behavior long-term. Instead of "If you click on phishing, it costs the company millions," a better approach is "You are our most important line of defense." Reward desired behavior: public praise for reported phishing emails, small rewards for departments with the lowest click rate, gamification elements.

Management as role models

When executive management completes the awareness training first and communicates this, it sends a signal. When they exempt themselves from training, it sends a different signal. Management participation is not only regulatory required (NIS2 demands it) but also culturally decisive.

Involving the works council

In many organizations, the works council has co-determination rights regarding training measures and especially regarding phishing simulations, which can be interpreted as behavioral monitoring. Inform the works council early and transparently:

Which training sessions are planned and why?
How will phishing simulations be conducted and evaluated?
What data is collected and how long is it stored?
Will results be evaluated individually or only in aggregate?

A works council agreement on security awareness measures creates legal certainty for both sides and prevents conflicts that could jeopardize the entire program.

Typical pitfalls and how to avoid them

One-time training instead of a program. An annual mandatory training formally meets the minimum requirement but changes no behavior. Awareness must be continuous, not a one-time event.

Too much at once. If you cram phishing, passwords, social engineering, GDPR, clean desk, mobile security, cryptography, and incident response into two hours in the first training, nothing sticks. Prioritize and distribute the topics over the year.

No follow-up. Conducting training and then never checking if it worked is a waste of resources. Without measurement, you do not know if you need to improve or where the gaps are.

Phishing simulations as punishment. If employees who fall for a simulation are called to the supervisor, you torpedo the security culture. It is about learning, not discipline.

IT jargon in non-IT training. Avoid technical terms your audience does not know. The accounting clerk does not need to know what a man-in-the-middle attack is. They need to know to look for the lock icon in the browser before entering bank details.

From obligation to culture

A mature security awareness program typically goes through three phases:

Phase 1: Compliance. You conduct training because it is regulatory required. The goal is to demonstrate that training took place. The impact is limited, but the foundation is laid.

Phase 2: Behavior change. Through continuous measures, phishing simulations, and measurement, behavior actually begins to change. Click rates drop, reporting rates rise. Employees start being more attentive in their daily work.

Phase 3: Security culture. Information security is understood as a shared responsibility. Employees proactively report suspicious activities, support new colleagues, and see security not as an obstacle but as part of their work. This is the goal — and it typically takes two to three years of consistent effort to get there.

The path there leads through continuity, relevance, and appreciation. Continuous measures instead of one-time actions. Relevant content instead of generic slides. And appreciation of every employee as an active part of the security strategy — not as a problem that needs to be trained.