This glossary brings together the most commonly used terms in security awareness. Useful as a reference for employees, buyers and security professionals who need clear internal explanations.
The phenomenon where employees become so accustomed to security warnings, training and phishing tests that they no longer respond to them. Awareness fatigue develops from repeated, low-relevance messages. Solution: shorter modules, higher relevance and variety in approach.
Access management
The policies and processes that control who has access to which systems, data and locations. The principle of least privilege limits damage when an account is compromised. Employees need to understand how to handle access permissions safely.
C
Click rate
The percentage of employees who click on a phishing link during a simulation or real attack. Click rate is a starting point for measurement, but says little on its own: who clicked matters less than why, when and how quickly it was reported.
CEO fraud / Business Email Compromise (BEC)
A targeted attack where an attacker impersonates a CEO, director or other executive to persuade employees — often in finance — to make an unauthorized payment or share sensitive data. BEC is responsible for billions in losses globally.
D
Deepfake
AI-generated fake audio, video or images that make someone appear to say or do things they never did. Deepfakes are used for disinformation, reputational damage and fraud, and place new demands on employee digital literacy.
Data breach
The unauthorized loss, theft or disclosure of personal data or confidential information. Data breaches must under GDPR be reported to the regulator within 72 hours. Employees play a crucial role in recognizing and reporting incidents.
G
GDPR
The General Data Protection Regulation is the European privacy law that requires organizations to process personal data carefully. Employees need to understand what personal data is and how they are expected to handle it under GDPR principles.
Gamification in security awareness
Applying game elements — such as points, badges, leaderboards or challenges — to security awareness training to stimulate engagement and repetition. Gamification works best when it supports behavior change rather than purely providing entertainment.
I
Insider threat
A security risk originating from people inside the organization: employees, former employees, vendors or partners with access to systems or data. Insider threats can be intentional (malicious) or unintentional (negligent). Awareness reduces unintentional insider incidents.
Incident reporting
The process by which employees report suspicious situations, mistakes or security incidents internally. A blame-free reporting culture is essential: employees who dare to report a mistake give the organization the chance to respond quickly before damage spreads.
M
Malware
A collective term for malicious software including viruses, worms, trojans, spyware and ransomware. Malware is often spread via phishing, fake downloads or infected USB drives. Employees who recognize phishing form an essential line of defense.
Multi-factor authentication (MFA)
A security method that requires multiple verification steps to access a system: something you know (password), something you have (phone/token) or something you are (biometrics). MFA dramatically reduces the risk of compromised credentials.
N
NIS2 Directive
The European Network and Information Security Directive 2 (NIS2) requires essential and important entities to take concrete cybersecurity measures, including employee awareness and training (Art. 21) and board-level training (Art. 20). Awareness is therefore a named legal obligation.
P
Phishing
An attack technique where attackers use email, SMS or other channels to trick people into clicking a link, entering credentials or opening an attachment. Phishing is the most common entry point for cyber incidents.
Phishing simulation
A controlled test where an organization sends fake phishing emails to its own employees to measure how they respond. The goal is not to catch and punish, but to raise awareness and measurably improve behavior. Results are used for reporting and targeted follow-up.
Password hygiene
Habits around creating, storing and using passwords: unique passwords per account, sufficient length and complexity, no reuse and use of a password manager. Poor password hygiene is one of the most common causes of account compromise.
R
Report rate
The percentage of employees who actively report a suspicious email or phishing attempt to IT or security. A rising report rate is often a better indicator of behavior change than a falling click rate, because it reveals behavior beyond the simulation.
Ransomware
Malicious software that encrypts files or systems and demands payment for the key. Ransomware attacks typically begin with phishing, an infected attachment or an unsecured connection. Security awareness significantly reduces the likelihood of initial infection.
S
Security awareness
The awareness employees have of cybersecurity risks and the knowledge to handle them safely in daily work. Security awareness goes beyond knowledge: the goal is behavior change that leads to safer actions around phishing, passwords, access management and incident reporting.
Spear phishing
A targeted variant of phishing where the attacker personalizes the message using information about the target, such as name, role, employer or recent activities. Spear phishing is harder to recognize than generic phishing emails.
Social engineering
An attack method that uses psychological manipulation rather than technical vulnerabilities. Examples include creating urgency, impersonating authority, exploiting trust or inducing fear. Phishing is the most common form of social engineering.
Smishing
SMS phishing: attacks via text message or messaging apps (such as WhatsApp) containing fake links, false notifications or urgent requests. Smishing is growing because employees tend to be less critical of SMS messages than emails.
Security awareness program
A structured, ongoing initiative to improve employees' cybersecurity knowledge and behavior. A strong program combines training, phishing simulation, communication, reporting and management involvement in an annual rhythm.
V
Vishing
Voice phishing: an attack by phone where attackers impersonate colleagues, IT staff, banks or government agencies to extract sensitive information or prompt action. Vishing is increasingly used in combination with other attack techniques.
Z
Zero-day vulnerability
A security flaw in software that is unknown to the vendor and for which no patch is available yet. Attackers exploit zero-days before organizations can close them. Security awareness reduces exposure through human attack vectors.
Go deeper on these terms
The knowledge base contains articles that explore the practice behind these terms: how to measure phishing, when simulations backfire and how to make security awareness demonstrable to boards and auditors.
