Security Awareness Training: how to build a programme that works
2026-07-13 · by SECURITYSQUAD

That people are the decisive line of defence is now widely understood. The harder question is: how do you turn that insight into a programme that demonstrably changes behaviour? An effective security awareness training is not an annual appointment, but a continuous, measurable process. This article shows how to set it up.
It starts with a baseline assessment
Before you plan content, take a sober look at the status quo. What is the click rate in a first, unannounced phishing simulation? How many staff report a suspicious email at all? Which roles are especially exposed? This baseline delivers not only your topics but also the yardstick against which you will later measure success. Without a starting value, any awareness programme remains a claim.
Target groups and topics: the watering can doesn't work
Training that is the same for everyone is right for no one. Effective programmes differentiate by role and risk:
- Accounting and finance: focus on CEO fraud and invoice fraud (business email compromise), approval processes, payment verification via a second channel.
- Management and executives: highly personalised attacks (spear phishing), deepfake and vishing scenarios, handling mobile devices while travelling.
- IT and administration: credential theft, handling privileged access, supply-chain and support fraud.
- All staff: safe use of passwords and MFA, data protection, reporting channels, home office and removable media.
The programme should also cover current attack patterns – such as QR-code phishing or AI-generated, linguistically flawless messages that render the classic warning signs useless.
A mix of methods, not a single measure
Sustainable awareness comes from combining several formats:
- Phishing simulations: realistic but fair campaigns that make behaviour visible under everyday conditions – not to expose people, but to help them learn.
- E-learning and microlearning: short, modular units that fit into the working day rather than blocking it.
- Just-in-time learning: perhaps the most effective method – anyone who clicks on a simulated phishing email gets a short, friendly explanation in the same moment. The learning effect is greatest at the moment of the mistake.
- In-person and live formats: for sensitive target groups, complex topics and the cultural backing of the leadership level.
Regularity and sustainability
Security awareness behaves like fitness: it fades if you do nothing for it. That is why the one big annual training is quickly forgotten. What works are short, recurring impulses spread across the year, complemented by ongoing simulations. Just as important is the error culture: punishing clicks mainly ensures that incidents are hidden. A quick, fear-free report buys IT valuable time – it is worth more than any sanction.
Measurability: which KPIs matter
A programme you don't measure is a programme you can't steer. The key metrics:
- Click rate: the share of staff who click on a simulated phishing email. Most meaningful over time, not as a snapshot.
- Reporting rate: the share of those who actively report a suspicious email. This metric is often underestimated, yet it is the best indicator of a lived security culture – staff become sensors.
- Resilience ratio: reporters relative to clickers. A rising ratio shows real progress.
- Repeat clickers: staff who click more than once. They need targeted, supportive interventions rather than blanket repetition.
- Completion and participation rates: also relevant as evidence for auditors.
Set realistic quarterly targets and report trends to management – awareness is a leadership task.
Platforms: a tool, not an end in itself
Specialised platforms have become established for simulations and e-learning. KnowBe4 is one of the leading solutions on the market – and SECURITYSQUAD is an official KnowBe4 partner: we set up the platform, plan phishing campaigns and learning paths, and deliver the reporting. What still matters is the fit with your goals: does the platform cover your languages and roles? Does it deliver the KPIs you need to report? Can it be operated in a data-protection-compliant way? We clarify this together and align the programme with your needs.
The training obligation under NIS2 and ISO 27001
Awareness is no longer optional. The NIS2 Directive explicitly obliges affected entities to practise cyber hygiene and provide training – and holds the management level accountable in the process. ISO/IEC 27001, together with Annex A, requires demonstrable competence, awareness and training of employees. In both cases, what counts is not a one-off signature under a policy, but documented, recurring evidence. This is precisely where a measurable programme pays off twice over.
How SECURITYSQUAD supports you
As a service provider certified to ISO 27001 and BSI IT-Grundschutz and a participant in the Alliance for Cyber Security, we do not treat awareness in isolation, but as part of your ISMS and your NIS2 implementation. We capture your baseline, develop a role-based programme, set up simulations and e-learning as an official KnowBe4 partner, and report the KPIs that matter to management and auditors. Our penetration tests including social engineering additionally provide a realistic outside view – so you know where you really stand.
Read more: Phishing and the human factor · Expertise & Services · NIS2 for mid-sized companies