Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Security Awareness Glossary

Security Awareness Training - Menschliche Firewall aufbauen

Security awareness training equips employees to act as a human firewall: phishing detection, social engineering, password hygiene, mobile security, and GDPR obligations. Effective programs utilize phishing simulations (target click-through rate: <5%), micro-learning (3–5 min.), gamification, and spear-phishing-based refresher training. KPIs: Click-through rate, reporting rate, credential entry rate. Regulatory requirements: NIS2, ISO 27001 A.6.3, BSI IT-Grundschutz ORP.3.

Security Awareness Training is the systematic training of employees to reduce human vulnerabilities. Technology can block most attacks—but phishing, social engineering, and insider threats target people, not systems.

Why Technical Controls Alone Fail

Statistics (Verizon DBIR 2024)

  • 68% of all data breaches: human error
  • 36% of all attacks: phishing as the initial vector
  • Average click-through rate without training: 30–40%
  • With regular training: < 5% (benchmark)

What training can achieve

  • Recognize phishing: report dangerous emails instead of clicking
  • Resist social engineering: pretext calls, CEO fraud
  • Password security: avoid weak passwords and reuse
  • GDPR awareness: report data breaches
  • Incident reporting: "when in doubt, report!"

What training cannot do

  • Completely eliminate spear phishing (targeted attacks will still succeed)
  • Replace technical controls (MFA, EDR, email filters)
  • Once a year and done—continuous effort is required!

Building an effective awareness program

Phase 1: Measure the baseline (Weeks 1–4)

  • Phishing simulation without warning: Measure click-through rate
  • Quiz: Assess employees’ basic knowledge
  • Identify knowledge gaps
  • Risk profiling: Which departments/roles are most exposed?

High-risk groups (prioritize):

  • Financial accounting (BEC/CEO fraud target!)
  • C-suite and assistants (whaling targets!)
  • IT administrators (privileged access)
  • HR and recruitment (fake applications containing malware)
  • New employees (not yet trained)

Phase 2: Create/select content

Mandatory modules (minimum standard):

  • Recognizing phishing (email, SMS, QR code)
  • Social engineering and pretext calls
  • Password hygiene and password managers
  • Secure use of company devices and BYOD
  • GDPR basics and reporting data breaches
  • Remote work security (home network, coffee shop Wi-Fi)
  • Incident reporting (how, where, when to report?)

Format recommendations:

  • Micro-learning: 3–5 minutes per lesson (no 1-hour annual video!)
  • Video + quiz: interactive, no text-only slides
  • Scenario-based: “What would you do in this situation?”
  • Mobile-friendly: Employees can learn on their phones
  • German + other languages (multilingual teams!)

Phase 3: Implementation

  • LMS (Learning Management System): KnowBe4, Proofpoint TAP, Hoxhunt, Kaspersky ASAP
  • Rollout: all employees, mandatory modules + quizzes
  • Reminders: automatic email reminders for pending training
  • Certificates: Completion confirmations (proof of compliance!)

Phase 4: Phishing Simulations

  • Regular: monthly or quarterly
  • Realistic templates: current topics (package notification, IT support)
  • Clicker: immediate micro-training ("You clicked! Here’s why it’s dangerous:")
  • No punishment: learning experience, not disciplinary action
  • Reports: click rates per department, trends over time

Phishing Simulation KPIs

Phishing KPIs

Click Rate:

  • How many employees click on phishing links?
  • Benchmark: < 5% (target after 12 months of training)
  • Alert: > 20% (immediate action required!)

Credential Entry Rate:

  • How many enter a username/password after clicking?
  • Should be significantly lower than the click rate
  • > 50% of clickers enter credentials: password manager is missing!

Reporting Rate:

  • How many report the phishing simulation as suspicious?
  • Good: > 25% actively report
  • Target: > 60% (proactive security culture)
  • "Report Phishing" button in Outlook/Gmail: enable easy reporting

Time to Report:

  • How quickly is a real phishing campaign reported?
  • Benchmark: < 1 hour (from first email to report)
  • Critical for SOC response time!

Awareness Program KPIs

KPITargetMeaning
Completion Rate95%+% of employees who have completed mandatory modules (for compliance!)
Quiz Pass Rate90%+% of employees who pass the quiz
Repeat RateIncreasingIndicator of engagement
Click-Through Rate (Trend)DecreasingTraining is working!
Reporting Rate (Trend)IncreasingCulture is improving!

Spear Phishing and Targeted Simulations

Standard Simulation (Level 1)

  • "Please reset your password"
  • "DHL: Package could not be delivered"
  • "IT Support: Security update required"

Spear-Phishing Simulation (Level 2)

Personalized and highly realistic for maximum learning impact:

  • Personalized: Name, department, project name
  • From "known" senders: CEO name, manager name
  • Current context: "Re: Q1 Budget Meeting"
Example scenario (CEO fraud):
From: &quot;Maximilian Müller (CEO)&quot;<m.müller@firma-corp.com>
To:  buchhaltung@firma.de
Subject: URGENT: Transfer for acquisition
Body: &quot;I&#x27;m in a meeting right now, please transfer the funds today...&quot;
→ Click-through rate on &quot;Confirm bank details&quot; link: often 15–20%!

Learning outcome after spear phishing:

  • Recipients see: "This was a test. Here’s how to spot CEO fraud emails:"
  • No "You failed!" – use a learning-focused approach!
  • Immediately afterward: 5-minute module on BEC/CEO fraud

Vishing simulation (telephone fraud)

  • Calls from "IT Support" asking for login credentials
  • "Microsoft Support" requesting remote access
  • More difficult to simulate, but very effective for raising awareness

Regulatory Requirements

ISO 27001 (A.6.3)

> "All employees and, where applicable, contractors receive regular training on information security as well as regular updates to company policies."

Evidence: Training logs, quiz results, certificates

NIS2 / BSIG (Section 30(3)(a))

> "Training in the area of cybersecurity hygiene"

  • Applies to: critical and important facilities
  • Penalty for non-compliance: up to 10 million EUR or 2% of annual turnover

BSI IT-Grundschutz (ORP.3)

RequirementContent
ORP.3.A1Raising awareness among institutional management
ORP.3.A4Design of a training and awareness program
ORP.3.A12Conducting phishing campaigns

Evidence: Training concept + proof of implementation

GDPR (Art. 32 + 39)

  • Data protection training as a technical/organizational measure
  • DPO (Data Protection Officer) must promote awareness (Art. 39)

Documentation for Audits

  • Training program document: which modules, how often
  • Attendance lists: all employees + date
  • Quiz results: as CSV/export from LMS
  • Phishing simulation reports: click-through rates per campaign
  • Improvement measures: what was done after a poor click-through rate?
  • Annual review: was the program effective?</m.müller@firma-corp.com>

AWARE7 Services on This Topic

Phishing-Simulation Schulungen
Back to Glossary Book a free consultation