Organisationen, die Security Awareness strukturiert angehen

Phishing simulations — including CEO fraud and deepfake scenarios — linked directly to e-learning modules. Employees who click automatically flow to an explanation page and targeted training. DORA topics embedded in the annual program rhythm. Board receives quarterly reporting with exportable KPIs.

Reporting behavior increased significantly within six months. Click rate dropped more than 60% after four simulation rounds. The CISO uses the platform as the primary source for DORA compliance evidence and ISO audits.

A new program: not just an MFA-fatigue module, but a fixed behavioral rule everyone knows — more than three unexpected MFA notifications? Switch to airplane mode, call the helpdesk in the morning. NEN 7510 themes spread across eight campaigns with separate board reporting. The employee's story — shared with his permission, anonymously — became part of standard onboarding.

Behavioral rule embedded in onboarding for all night-shift employees with quarterly reminders. Internal audit evidence available per period. Incident reporting went up — proof of growing awareness. The employee is now seen as the person who woke the organization up.

Program kick-off with the secretary-general or director — including a personal story about why this program matters to this organization. Segmented audiences per department, centralized reporting. Security as a standing agenda item in management meetings and team standups. User management via AD integration.

Participation rose to above 85% month after month — sustained for three years. Leadership remained consistently engaged; tone at the top changed the culture structurally. Per-department reporting is now standard in the monthly security review.

2LRN4 configured with content in nine languages, locally adapted phishing templates per region. Critical suppliers included in the program through policy acceptance and demonstrated training. Progress per language group and location reported monthly.

Participation rate exceeded 90% across all regions within the first year. Suppliers demonstrably included — meets NIS2/Cybersecurity Act and DORA supply chain requirements.

Baseline phishing simulation followed by an annual rhythm of six theme-specific trainings. Security ambassadors appointed per team — colleagues with intrinsic interest in security who serve as the go-to person and surface feedback. Results per team reported every two months.

Click rate dropped by more than 60% after four simulation rounds. Ambassadors multiplied the reach of the central team. Management receives a standard report directly usable for ISO 27001 audit.

Serious game rolled out per department by internal game leaders — departments competed against each other, weekly scores posted on the intranet alongside security tips. Blame-free communication: employees who click are guided, not sanctioned. For the phishing follow-up, the executive personally recorded a video explaining why the municipality runs these exercises.

Reporting willingness increased significantly. The video spread through the municipality like wildfire — awareness became a conversation, not an obligation. The team demonstrated that behavioral change delivered more results than disciplinary measures.