Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Security Awareness

Your people are your
most important security system.

68% of data breaches involve a human factor (Verizon DBIR 2024). With live hacking shows, phishing simulations, and the Escape Desk we turn your employees into your strongest line of defence - measurably and sustainably.

Book a free consultation View awareness formats
ISO 27001 certified NIS-2 compliant Audit-ready reports AZAV-accredited training provider

Trusted by our clients

of data breaches involve a human factor (Verizon DBIR 2024)
Click-rate reduction after training
Campaigns delivered
Response time on enquiries

The Core Problem

Technology alone does not protect.

Firewall, EDR, SIEM - none of that helps if an employee clicks the wrong link. People are the preferred target of modern cybercriminals.

Phishing hits everyone - including professionals

Modern phishing attacks are so precise that even experienced IT staff do not always detect them. Spear-phishing with personal details sourced from social media carries an average click rate of 30%. Without regular training these numbers keep rising.

One-off training fades quickly

After a single training session, security awareness drops back to baseline within 30 days. The Ebbinghaus forgetting curve applies to security knowledge as much as anything else. Only continuous, varied measures create lasting behaviour change.

NIS-2 requires demonstrable training

NIS-2 explicitly mandates regular awareness training for affected organisations. Organisations unable to provide this evidence risk fines of up to EUR 10 million or 2% of global annual turnover - and personal liability for management.

No measurement - no progress

Many awareness measures produce no usable data. Without click-rate tracking, department comparisons, and improvement KPIs, IT leaders and CISOs cannot know whether investments are working - and cannot demonstrate this to auditors or the board either.

Sources: Verizon DBIR 2024, IBM Cost of a Data Breach Report 2024, BSI Security Report 2024

Awareness Formats

Three proven formats that complement each other - from emotional experience to measurable behaviour change in everyday working life.

01

Live Hacking Show

Experience live how attackers operate - compelling and accessible for every audience from board level to frontline staff.

Leistung entdecken
02

Managed Phishing Simulation

Automated or bespoke phishing campaigns that measurably and sustainably improve employee awareness.

Leistung entdecken
03

Escape Desk

Information security as an experience - an interactive format that creates lasting security awareness.

Leistung entdecken

Awareness starts with the first step.

In a free 30-minute call we discuss which format best fits your workforce and compliance requirements.

Book a consultation now

Kostenlos · 30 Minuten · Unverbindlich

How it works

From analysis to measurable behaviour change

Our structured awareness approach ensures measures do not peter out - but have lasting impact.

01

Baseline analysis & goal setting

We assess the current security awareness of your workforce - anonymously, quickly, and without upfront investment. Based on this baseline we set realistic targets and select the right format.

02

Programme planning

We develop an annual plan with progressively building measures: phishing campaigns, live events, micro-learnings. Each measure is tailored to your sector, size, and current threat landscape.

03

Delivery & measurement

We run all measures - with no internal overhead for your team. Results are captured in real time: click rates, reporting rates, department comparisons, and trend analyses are available in a dashboard.

04

Reporting & evidence

You receive quarterly audit-ready reports - prepared for auditors, ISO 27001 reviews, and NIS-2 evidence. Including industry benchmarks and clear recommendations for the next measures.

Three formats compared

Each format has its strength - the combination is most effective.

Criterion Live Hacking Phishing Simulation Escape Desk
Goal Emotional awareness Behaviour change Gamified learning
Duration 60-120 minutes Continuous 2-3 hours
Participants 10-500 people All employees 5-15 per group
Measurement Feedback analysis KPI dashboard Group evaluation
Best as Kickoff / annual event Ongoing training Team building / refresher
Price from EUR 2,500 EUR 1,200 on request

Your points of contact

Our awareness experts advise you on formats, campaign planning, and measurable impact.

Chris Wojzechowski
Chris Wojzechowski

Geschäftsführender Gesellschafter

E-Mail
PGP 465C26E1AF161AFA

Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.

IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
Vollständiges Profil ansehen
Jan Hörnemann
Jan Hörnemann

Chief Operating Officer · Prokurist

E-Mail
PGP A3FD64BB96C888E2

M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.

ISO 27001 Lead Auditor (PECB/TÜV) T.I.S.P. (TeleTrusT) ITIL 4 (PeopleCert) BSI IT-Grundschutz-Praktiker (DGI) Ext. ISB (TÜV) BSI CyberRisikoCheck CEH (EC-Council)
Vollständiges Profil ansehen

Who benefits from security awareness?

All employees

From reception to the boardroom - everyone is a potential target and must understand phishing, social engineering, and password security.

Executives & board members

CEO fraud and whaling attacks deliberately target decision-makers. Executive awareness protects against losses of millions through targeted manipulation.

IT departments

Even IT professionals fall for well-crafted attacks. Technical expertise does not automatically protect against social engineering.

NIS-2 affected organisations

Mandatory awareness training with audit-ready evidence for regulators and auditors. Our measures generate the required documentation automatically.

Organisations with remote teams

Distributed teams are particularly vulnerable - the absence of face-to-face verification increases the risk of phishing and business email compromise (BEC).

High-risk sectors

Healthcare, financial services, critical infrastructure - wherever data theft or operational disruption can be existential threats.

Why AWARE7 for security awareness

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter — mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails — publiziert auf ACM- und Springer-Konferenzen. Zwei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen — ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen — und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA — wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

„Excellent coordination, highly interactive and engaging training.“

Renate S.

Healthcare group

Awareness + technology = maximum protection

Complement your awareness programme with technical security assessments.

Penetration Testing

Uncover technical vulnerabilities that no awareness training can close.

Request pentest

Vulnerability Scan

Automated scans as a complement - identify gaps before attackers do.

Learn about scanning

ISMS ISO 27001

Awareness is a mandatory component of every ISMS. We combine both under one roof.

Start ISO consulting

FAQ

Your questions about security awareness

Everything CISOs, IT leaders, and compliance teams need to know before starting an awareness programme.

Security awareness refers to measures that educate employees about cyber threats and enable them to correctly identify and respond to security-relevant situations. According to IBM research, over 90% of all successful cyberattacks begin with human error - whether clicking a phishing link, using weak passwords, or opening unknown attachments. Technical controls alone are not enough: people must be understood as an active part of the security strategy.
Many organisations send a one-off test phishing email and consider a low click-rate a success. Professional managed phishing simulations go much further: we vary scenarios, tailor lures to current events within your organisation, combine phishing with vishing (phone-based attacks), and measure not just click rates but also reporting behaviour, response times, and improvement potential per department. You receive a detailed analysis with industry benchmarks and a prioritised action roadmap.
One-off training sessions are largely ineffective - the forgetting curve sets in within weeks. Best practice is a continuous programme: monthly micro-learnings (3-5 minutes), quarterly phishing simulations, and annual in-depth activities such as live hacking shows or escape desk sessions. NIS-2 affected organisations must demonstrate that awareness training is conducted regularly - our managed approach automatically generates audit-ready reports.
Costs depend on participant numbers, format, and intensity. A phishing simulation for up to 100 employees starts from approximately EUR 1,200; a live hacking show (up to 100 participants, 90 minutes) from approximately EUR 2,500. The Escape Desk is priced as a workshop format. For organisations booking a full-year managed programme, we offer flat rates. Contact us for an individual quote - you will receive a response within 24 hours.
Yes, directly. NIS-2 explicitly requires affected organisations to train employees in cybersecurity matters. ISO 27001 lists awareness measures as a core component of an ISMS (Annex A, control 6.3). Our measures are fully documented and provide audit-ready evidence - for internal audits as well as regulatory requests.
Absolutely - and this is particularly important. CEO fraud, spear-phishing, and social engineering attacks deliberately target decision-makers. Our live hacking shows and executive workshops are specifically designed for senior leaders: less technical, more focused on business risks and real-world attack scenarios. Many of our clients combine a board presentation with a company-wide awareness campaign for all employees.
We recommend combining a live hacking show as a kickoff event (creates emotional impact and attention) with subsequent monthly phishing simulations (trains the learned behaviour). The Escape Desk works excellently as a refresher after 6-12 months. In the free initial consultation we develop a tailored plan for your organisation.
Our primary language is German. Phishing simulations can also be conducted in English. Live hacking shows are available in both German and English. For international teams we create multilingual campaigns with unified reporting.
A phishing simulation can be set up within 5-10 business days. For a live hacking show we typically plan 2-4 weeks of lead time. The Escape Desk requires approximately 3 weeks of preparation. In urgent cases (e.g. following a security incident) we can also respond at shorter notice.

More questions? Speak directly with our experts.

Aus dem Blog

Weiterführende Artikel

Turn your employees into your strongest line of defence.

Free 30-minute initial consultation. No sales pressure, no off-the-shelf solutions - just honest advice on what genuinely fits your organisation.

Book a consultation

Kostenlos · 30 Minuten · Unverbindlich

Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung