Skip to main content
Informationssicherheit / NIS2

Security awareness

Security awareness is the targeted training and sensitisation of employees so they can recognise security risks such as phishing or social engineering and behave securely in their everyday work.

Security awareness covers all measures with which an organisation builds and continuously maintains the security consciousness of its workforce. The goal is for employees to recognise and respond correctly to typical attack patterns such as phishing emails, social engineering, spoofed senders, or the careless handling of passwords and mobile devices. Because a large share of successful security incidents traces back to human error, the human factor is regarded as a decisive line of defence alongside technical and organisational safeguards.

Effective security awareness is not a one-off event but a continuous process of training sessions, regular refreshers, simulated phishing campaigns, posters, and a clearly lived security culture. Content should be tailored to the target group, since management, IT administration, and clerical staff have different risk profiles and obligations. Success is measured through metrics such as participation rates, click rates in phishing simulations, or the number of reported suspicious cases, which feed back into the information security management system (ISMS).

Security awareness is firmly anchored in law and standards. The NIS2 Directive and its national transposition oblige affected entities to provide training, and management must attend training in order to assess cyber risks. ISO/IEC 27001 requires corresponding programmes in its controls on information security awareness, education, and training, and the German BSI IT-Grundschutz dedicates a separate module to the topic. Security awareness is therefore both a compliance obligation and a practical means of reducing risk.

Legal Basis

Art. 20 and Art. 21(2)(g) NIS2 Directive (EU 2022/2555); ISO/IEC 27001:2022 Annex A 6.3; BSI IT-Grundschutz module ORP.3

Practical Example

A mechanical engineering firm classified as an important entity introduces an annual security awareness programme. All employees complete mandatory e-learning, and management attends a separate session on its NIS2 obligations. Each quarter the information security officer sends simulated phishing emails; anyone who clicks receives a short learning unit instead of a sanction. Within a year the click rate falls from 28 to 6 percent, and the number of reported suspicious emails rises sharply. Participation rates and results are documented and presented in the internal audit as evidence of compliance.

FAQ

A mandatory annual basic training is recommended at minimum, supplemented by continuous measures such as quarterly phishing simulations, situational reminders, and refreshers. New employees should be trained as part of onboarding. Regularity is key, as one-off training quickly fades.
Yes. The NIS2 Directive explicitly obliges affected entities to provide cybersecurity training. In addition, management must attend training itself and is liable for implementing the risk management measures. Training is therefore a mandatory building block of compliance.
Suitable metrics include training participation and completion rates, click and reporting rates in phishing simulations, and the number of actually reported suspicious cases. Falling click rates and rising reports are strong indicators of growing security consciousness. Results should be documented and fed back into the ISMS.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Phishing Social engineering NIS 2 Directive ISMS (Information Security Management System) Information security policy
Back to Glossary