Security Awareness

Security awareness is the practice of educating and training employees to recognise and respond correctly to information security threats. People remain the most exploited vulnerability in cybersecurity, and awareness training is a central organisational security measure.

Back to Dictionary

Why is security awareness important?

Research consistently shows that over 80% of security breaches involve a human factor -- phishing, social engineering, mishandling of data or weak passwords. Technical controls alone cannot protect against an employee who clicks a phishing link or sends a confidential file to the wrong recipient.

Security awareness is the organisational measure that reduces the human risk factor by making employees an active part of the defence rather than an attack vector.

What should an awareness programme include?

An effective awareness programme typically covers:

Recognising phishing and social engineering attacks
Secure password practices and use of multi-factor authentication (MFA)
Correct handling of confidential data (classification and sharing)
Reporting security incidents and suspicious activities
Secure use of mobile devices and remote working environments
The organisation's security policies and consequences of non-compliance

Phishing simulations

Phishing simulations are controlled tests in which the organisation sends simulated phishing e-mails to its own employees to measure click rates. The results are used to identify high-risk groups, tailor training and measure effectiveness over time. It is important that simulations are accompanied by positive learning rather than blame.

Ongoing training, not one-off events: Research shows that one-off training sessions quickly lose their effect. Short, regular awareness activities are far more effective than a single annual three-hour session.

Regulatory requirements

Security awareness training is required or recommended under multiple frameworks:

ISO 27001: Clause 7.3 requires the organisation to ensure that persons doing work are aware of the information security policy. Annex A control 6.3 specifies awareness, education and training requirements.
NIS2: Article 21 requires cyberhygiene practices and awareness training for all employees, including management.
GDPR: Employees who process personal data must receive appropriate training in data protection principles and practices.
CIS Control 14: Security Awareness and Skills Training is an IG1 control applicable to all organisations, regardless of size.

Measuring effectiveness

An awareness programme should be measurable. Common metrics include phishing simulation click rates, incident reporting rates, training completion rates and the time taken to report suspicious e-mails. Tracking these metrics over time demonstrates whether the programme is genuinely changing behaviour.

Frequently Asked Questions about Security Awareness

What is security awareness?

Security awareness is the practice of educating employees to recognise and respond correctly to information security threats such as phishing, social engineering and data mishandling. It aims to reduce the human risk factor in cybersecurity.

Why is security awareness training important?

Over 80% of security breaches involve a human factor. Technical controls alone cannot prevent employees from clicking phishing links or mishandling data. Awareness training makes employees an active part of the defence.

How often should awareness training be conducted?

Research shows that one-off training quickly loses its effect. Best practice is to deliver short, regular awareness activities throughout the year rather than a single annual session.

What is a phishing simulation?

A phishing simulation is a controlled test in which the organisation sends simulated phishing e-mails to its own employees. The results measure click rates and are used to identify risk groups and tailor future training.

Which regulations require security awareness training?

ISO 27001 (clause 7.3 and Annex A 6.3), NIS2 (article 21), GDPR (for employees processing personal data) and CIS Control 14 all require or recommend security awareness training.