Security awareness is a well known concept within our field. Increasingly, organizations recognize the importance of human behaviour in safeguarding overall information security. Training within the framework of ISO 27001 is not only intended to raise awareness of information security risks, but also to enable employees to act securely in their daily work. It is not about “ticking the box” of mandatory knowledge transfer. Something that has been observed in practice, but about developing understanding, skills, and behaviour that align with real world situations.
Effective security awareness supports the Information Security Management System (ISMS) by translating policies and controls into recognizable scenarios. This ensures that employees understand what is expected of them, why it matters, and how they can act accordingly.
In a previous blog, my colleague Laurens Rüpp explained why information security rarely fails due to technology, but more often due to human behaviour. The subsequent blog by my colleague Hediye Kamalizade demonstrated that human errors are often a logical outcome of the organizational context in which people operate. This article forms the final part of the series.In this blog, we provide practical tips and methods for designing a security awareness training that takes human behaviour, context, and routines into account.
Summary of the theory
To briefly recap the theory from the previous blogs: information security is often approached as a technical issue, while in reality many incidents can be traced back to human behaviour. This behaviour is rarely irrational or careless; rather, it is influenced by emotions, habits, social norms, and context. Neurologist António Damásio describes this as humans being “feeling machines that think.” This implies that secure or insecure behaviour is not primarily driven by knowledge or rules.
The first blog introduced a systematic behavioural approach based on five behavioural lenses from the Persuasive by Design model. These lenses explain how secure behaviour develops: through habits and impulses, knowledge and beliefs, visibility and feedback, motivation and skills, and repetition in daily practice. These insights are essential when designing effective awareness training.
The second blog highlighted that even the most capable and loyal employee may click on a phishing link, not out of unwillingness, but due to how our brains and working environments function. Factors such as high workload or fatigue can lead to “autopilot” behaviour, where quick, unconscious decisions are made to conserve energy, reducing vigilance. Research shows that the human factor plays a role in a large proportion of data breaches.
Additional training or stricter rules alone are therefore rarely sufficient. Security often fails due to a gap between policy and practice, unworkable processes, and a culture where workload undermines safety. Effective information security requires an integrated approach in which people, processes, and technology align, and where the secure option is also the easiest option.
These insights are highly relevant and provide a clear understanding of what works, what does not, and why. They form the foundation for designing effective training and are reflected in the tips below.
Logical, but often overlooked
There are many ways to implement security awareness effectively within an organization. What we can conclude is that there is no “one-size-fits-all” solution. Consistency, repetition, and patience are essential, as human behaviour does not change quickly or easily.
In practice, organizations apply various approaches to improve employee awareness. The following elements are generally perceived as effective:
A low-threshold point of contact
Rather than a single contact point, organizations benefit from multiple accessible points of contact for security and/or privacy questions across departments (often locally embedded). In larger organizations, approaching a Data Protection Officer (DPO) or CISO can feel like a significant step, as they are often very busy. A colleague within the team who can quickly answer questions lowers this barrier.
Some organizations refer to these individuals as “information security (and privacy) ambassadors.” These employees have an affinity with the topic and receive periodic updates on developments within and outside the organization.
An open and learning oriented culture
Although this may sound somewhat cliché, it is highly effective in practice. When leadership clearly communicates why information security and privacy are important, what the behavioural expectations are, and that making mistakes is part of learning, employees are more willing to engage and take responsibility.
In such an environment, employees are more likely to report doubts or mistakes, such as clicking on a phishing email. This increases incident reporting and provides the organization with better insight into risks, enabling more targeted and effective responses, such as tailored training.
Integrating the training into existing meetings
Security awareness training can be integrated into existing recurring meetings attended by employees. Training can also be combined with physical or digital sessions. This ensures participation and reinforces that information security and privacy are relevant to everyone. It is important, however, to tailor the content to the specific audience.
Tips for designing an effective security awareness training
Many security awareness programs are well-designed in terms of content but fail to achieve lasting impact. Employees may understand what phishing is or why strong passwords are important, yet little changes in daily practice. This gap is not due to unwillingness, but rather a logical consequence of how human behaviour works within an organizational context, including factors such as workload and working environment.
Designing an effective training program can therefore be challenging. How do you ensure that employees not only understand secure behaviour but also apply it in their daily work?
Tip 1: Vary the format and tailor it to the audience
Alternate between physical and digital training formats. Digital sessions provide flexibility, while in-person sessions enable interaction and allow you to gauge what resonates with the audience. This also enables you to address specific themes relevant to different groups.
Tip 2: Build habits through repetition and positive reinforcement
Reinforce key security practices during every training session, even if presented from different perspectives. Repetition helps embed behaviour into daily routines. Reward positive behaviour and highlight good examples.
This aligns with the behavioural lens theory, which emphasizes the importance of repetition. By embedding secure practices into processes, consistently communicating them, and having employees actively apply them, these behaviours gradually become standard practice.
Tip 3: Increase the visibility of security behavior
Providing insight and feedback helps drive behavioural change. Make organizational risks visible and ensure employees gain insight into their own behaviour regarding information security and privacy.
Incorporate real-life examples and lessons learned from incidents. This can be supported by conducting root cause analyses, a systematic method used to identify the underlying cause of incidents, with the aim of understanding why they occurred. Open communication is key: involve employees and ensure transparency to prevent recurrence.
Tip 4: Address Human Behaviour under work pressure
As highlighted earlier, work pressure is a common cause of human error. Acknowledge this in training by incorporating exercises that simulate decision making under pressure.
While reducing workload is important, periods of high pressure are sometimes unavoidable. Use input from employees to create realistic scenarios. Focus on simple behavioural reflexes that help reduce risk, for example, verifying urgent requests via a quick call or message before taking action.
Ultimately, effective information security is not about stricter rules or more knowledge alone. This series has shown that secure behaviour emerges from an environment in which acting securely becomes the natural choice. When organizations consciously invest in behaviour, processes, and culture, security awareness evolves from a compliance obligation into an integral part of the working environment, driven by people who understand that their daily choices make the difference.
Our unique “Phishing Awareness Service” trains your employees to recognize phishing emails and respond to them appropriately.
