Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Security awareness training: How the human firewall really works

Security Awareness Training Done Right: Why Traditional One-Time Training Sessions Fail, What Phishing Simulations Actually Measure, and How a Sustainable Awareness Program Reduces Cyber Risks.

Table of Contents (7 sections)

Technical security measures can fend off the majority of known attacks—but phishing, social engineering, and BEC specifically target the weakest link in any security chain: people. Security awareness training turns employees into an active line of defense rather than a vulnerability.

Why technical measures alone aren’t enough

The facts:

  • 68% of all successful data breaches begin with human error (Verizon DBIR 2024)
  • 91% of all cyberattacks start with a phishing email
  • Average click-through rate on phishing simulations without training: 30% (KnowBe4 Benchmark 2024)
  • After 90 days of continuous training: under 5%

The paradox of security investments: Companies invest millions in firewalls, EDR, SIEM, and zero-trust architectures—but a single employee who clicks on a phishing link and enters their credentials can undo all these measures.

The good news: Human behavior can be changed. Effective security awareness training can reduce the risk of human error by 60–80%.

What Security Awareness Training Is (and Isn’t)

What It ISN’T

Not a one-time training session: The annual 45-minute “mandatory training” that employees click through doesn’t foster lasting security behavior. Studies show that after 6 months without reinforcement, the learning effect has completely faded.

Not a Punishment Tool: Training that primarily aims to “catch” and shame employees creates fear—but not a security-conscious culture. Employees then report incidents less frequently out of fear of consequences.

No Guarantee: Even the best training does not completely eliminate human error. The goal is risk reduction, not risk elimination.

What it IS

A continuous behavioral program that:

  1. Builds knowledge (understanding and recognizing threats)
  2. Trains behavior (responding correctly, reporting)
  3. Creates culture (security as a shared responsibility)
  4. Delivers measurable improvements (tracking KPIs over time)

The components of an effective awareness program

1. Baseline Assessment

Before training: Where does the company stand?

  • Unannounced phishing simulation as a baseline test
  • Documentation of click-through rate, credential submission rate, and reporting rate
  • Identification of "repeat clickers" (employees who frequently fall for phishing attempts)

Typical baseline values (KnowBe4 2024):

Industry average phishing click-through rate without training: 34.3%
Micro-enterprises (<250 employees): 37.9%
Large enterprises (>10,000 employees): 30.7%

2. Training modules

Core Content:

  • Phishing detection (email, SMS, phone)
  • Secure password practices and password managers
  • Secure use of public Wi-Fi
  • Recognizing social engineering and pretexting
  • Physical security (clean desk, tailgating, visitor management)
  • Incident reporting processes: What, to whom, how quickly?
  • Data protection and GDPR basics

Format recommendations:

  • Short sessions (5–10 minutes) instead of long training sessions
  • Gamification significantly increases engagement
  • Industry-relevant scenarios instead of generic examples
  • Multilingual for international companies
  • Mobile-optimized and accessible on all devices

3. Phishing Simulations

The central tool for awareness training—and at the same time the most common misconception:

Simulation ≠ a test that must be passed or failed.

Simulations serve as a learning opportunity: Anyone who clicks on the simulated phishing link immediately—at that very moment—receives an explanation of what would have happened and what the warning signs were.

Optimal simulation frequency:

  • 4 times per year for the entire workforce
  • Immediate follow-up training for those who clicked (short module, 5–10 min)
  • Different scenarios per campaign (CEO fraud, package SMS, IT support call)
  • Increasing complexity over time

Scenarios that work:

Simple (basic):
  → "Your account will be blocked—verify now"
  → Generic sender address, obvious warning signs

Intermediate (after 3 months of training):
  → CEO fraud: "Urgent confidential transfer"
  → Fake IT support: "Security update required"

Advanced (after 12 months):
  → Spear-phishing using real colleagues’ names and internal context
  → Phone vishing test from "IT support"

KPIs for phishing simulations:

KPIDescriptionBenchmark Target
Click RatePercentage of clickers< 5% (after 12 months)
Submission RatePercentage of data submitters< 2%
Report RatePercentage of reporters> 60%
Time to ReportAverage reporting speed< 1 hour

4. Build a reporting culture

The most important goal, aside from a lower click rate: Employees report suspicious emails immediately.

Why this is critical: When someone falls for a phishing attempt, every minute counts. A quick report enables immediate incident response—before any damage occurs.

Basic requirement: Reporting must be easy—and there must be no negative consequences.

Best practices for a reporting culture:

  • Phishing report button directly in Outlook/Gmail (one click)
  • Quick feedback on reports (< 4 hours: "Investigated, was [legitimate/phishing]")
  • Public recognition for top reporters (gamification, leaderboards)
  • No shame for those who click – learning instead of punishment

5. Special Target Groups

Not all employees face the same risk:

Target GroupSpecific RiskTailored Training
Executives/Board of DirectorsCEO fraud, BECIn-depth BEC training, verification processes
Accounting/FinanceInvoice fraud, wire transfer fraudPayment processes and verification requirements
IT AdministratorsSpear-phishing with technical contextAdvanced technical scenarios
New HiresNot yet embedded in corporate cultureOnboarding training within 1 week
Repeat ClickersParticularly vulnerable1:1 coaching, intensive refresher training

6. Regular Communication and "Security Moments"

Training is not an annual event—it is an ongoing communication strategy:

  • Monthly security newsletters (1 page, practical)
  • Current alerts during phishing waves (e.g., "Fake DHL SMS messages currently in circulation")
  • Security Moments in team meetings (5 minutes monthly)
  • Physical reminders (posters, screensavers, login banners)
  • Gamified challenges (Who can spot the warning signs in this email?)

Metrics and performance measurement

Technical KPIs:

  • Click-through rate on phishing simulations (over time)
  • Reporting rate of suspicious emails
  • Percentage of actively used reporting tools

Qualitative indicators:

  • Spontaneous security questions from employees
  • Increasing reports of genuine phishing attempts
  • Management involvement and role modeling

Business metrics:

  • Reduction in successful phishing attacks (IT ticket tracking)
  • Faster incident response time
  • Decline in security incidents attributable to human error

Benchmark: KnowBe4 Industry Data 2024:

Click-through rate without training:            34%
After 90 days of continuous training:  18%
After 12 months:                    4.6%
After 12 months + phishing simulations: 2.8%

Compliance Requirements

ISO 27001 A.6.3: Explicit requirement for information security education and training.

NIS2 Art. 20: Management bodies must complete cybersecurity awareness training. Employee training as part of security measures under Art. 21.

BSI IT-Grundschutz ORP.3: "Awareness and training on information security" – detailed requirements for training programs.

GDPR: Training on data protection requirements is mandatory for all employees who process personal data.

Common Mistakes

"We did a training session last year": One-time training sessions without reinforcement have no measurable effect after 6 months.

"Our employees are too smart to fall for phishing": No level of expertise protects against sophisticated social engineering attacks. Even experienced IT professionals fall for spear-phishing with context-based attacks.

"We need to improve our technology first": Security awareness is not an alternative to technical measures, but a complementary layer. Both are necessary.

"Shaming employees leads to caution": The opposite is true. Shame leads to concealed behavior—incidents are no longer reported out of fear of consequences.

Conclusion

Security awareness training is not a compliance checkbox, but a strategic investment in the most effective layer of security: human judgment. A properly designed program—with continuous simulations, immediate feedback, a reporting culture free of fear, and targeted advanced modules for high-risk groups—demonstrably and measurably reduces human risk. And it pays off: The cost of an awareness program is far lower than the cost of a single successful phishing attack.

Sources & References

  1. [1] KnowBe4 Phishing by Industry Benchmarking Report 2024 - KnowBe4
  2. [2] Verizon DBIR 2024: Human Element in Breaches - Verizon
  3. [3] BSI: Awareness-Kampagnen für Unternehmen - BSI
  4. [4] SANS Security Awareness Report 2024 - SANS Institute

Questions about this topic?

Our experts advise you free of charge and without obligation.

Free Consultation

About the Author

Chris Wojzechowski
Chris Wojzechowski

Geschäftsführender Gesellschafter

E-Mail
PGP 465C26E1AF161AFA

Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.

10 Publikationen
  • Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
  • Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
  • IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
  • Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
  • Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
  • Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
  • Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
  • IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
  • Sicherheitsforum Online-Banking — Live Hacking (2021)
  • Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
Vollständiges Profil ansehen
This article was last edited on 04.03.2026. Responsible: Chris Wojzechowski, Geschäftsführender Gesellschafter at AWARE7 GmbH. License: CC BY 4.0 - free use with attribution: "AWARE7 GmbH, https://a7.de"

Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung