Why does security awareness training change behaviour?

Effective training combines knowledge, recognition and practice (phishing simulations). Short monthly modules work better than annual sessions because repetition anchors behaviour.

How do I measure the effectiveness of my awareness programme?

Use phishing click rate as a behavioural measure, track knowledge quiz scores, and monitor the number of suspicious email reports. A drop in click rate over 6 months is a reliable indicator.

How does 2LRN4 support behaviour change?

2LRN4 links risk-based modules (per threat type) to phishing simulations and reporting. Managers see at department level how behaviour develops.

Physical security awareness in the workplace

Physical security sounds old-fashioned in an age of AI phishing and deepfake voices, but in practice it remains an essential layer. Tailgating at the entrance, an unattended open laptop on a train, a USB stick found in the car park, a shoulder peering at your screen: these attacks bypass every firewall. What do employees in 2026 still need to know and do?

Why physical security still matters

Cybercriminals take the path of least resistance. When the technology is well secured, attention shifts to people, processes and the physical environment. An attacker who finds no hole in your firewall tries via a cleaner, a temp or an open meeting room. The line between 'cyber' and 'physical' has effectively dissolved.

Much work in 2026 is also hybrid: office, café, train, home. This spreads the physical risk zone. Screens, papers, conversations and devices are at least as vulnerable outside the office as inside, sometimes more so.

Physical-security awareness is about a handful of small habits that add up to a measurably safer working environment. No complex technology, just sustained discipline.

The six basics for every working environment

Simple in principle, tough in practice:

Wear your badge visibly in controlled-access zones. And politely address someone without one: "Can I help you, who are you here to see?" Tailgating works because no-one wants to seem rude.
Do not leave devices or papers unattended. Office, train, hotel. A locked cupboard or drawer takes fifteen seconds and prevents a breach.
Lock your screen when you stand up. Even for two minutes. A colleague peeking over your shoulder is usually harmless, an outsider is not always.
Use a privacy screen on trains and in public spaces. A filter for a few euros stops your seat-neighbour reading along.
Do not have confidential conversations in public. A quiet corner of a restaurant is not a confidential space. A phone booth or remote meeting room is.
Shred paper before discarding it. A bin next to a busy printer is not a clean bin; its contents often go straight to ordinary paper waste.

Tailgating and the politeness dilemma

Tailgating, following someone through a controlled door without your own badge, is one of the most successful physical attacks because it leverages a strong social norm: holding the door is polite, stopping someone feels rude. Attackers literally rehearse this: a box in the hands, a friendly smile, in they go.

The fix is not blunt hardness but a friendly routine. 'May I see your badge?' or 'Who are you here to see?' is polite and effective. An organisation where people are used to asking each other this is demonstrably harder to penetrate.

Explicitly train the habit, and back people up when they apply it. Nothing kills it faster than a colleague who says 'don\'t be silly' when someone asks. Leadership can model behaviour: an executive who visibly wears their badge and asks when in doubt normalises it.

The home workplace and the travelling office

A significant share of work happens outside the building. Home, café, train. That changes the physical risk picture:

At home: ensure confidential calls cannot be overheard by housemates or visitors. Devices go into a locked cupboard or desk when not in use. Work documents do not belong on the kitchen table during a family event.

In a café or restaurant: pick a seat with your back to the wall, use a privacy screen, and never leave your laptop alone to visit the toilet. Ask staff or a colleague to watch, or take the device.

On a train: same plus an extra: no confidential calls. It sounds obvious, but it is one of the most common leaks in practice.

USB sticks, found items and the "just help me out" trick

Attackers still use low-tech tricks in 2026 because they keep working. Three scenarios every employee should recognise:

A USB stick found in the car park or lobby, sometimes branded with a company logo. Curious about whose it is, someone plugs it in. At that moment malware can auto-run or keystrokes can be captured via a fake keyboard device. Rule: found sticks go to reception or security, never into a work device.

A "technician" who needs to "do something quickly in the meter cupboard". Ask for ID and a work order, call the listed contact via a known number. Real technicians find this normal.

A friendly person outside with a cigarette asking you to hold the door. Politely ask for a badge or have them enter via reception. Classic tailgating.

How to anchor this in an awareness programme

Physical security belongs in the base programme of every organisation, with extra modules for those who work much off-site or have access to sensitive spaces (data centres, finance rooms, customer data).

Combine a short module (five to seven minutes) on the six basics with physical visibility: a poster at the entrance about badging and the politeness dilemma, a sticker on meeting rooms with 'lock your screen', and regular walk-rounds by security where positive examples are highlighted.

Finally: make it visible when someone does the right thing. A news item 'this week Karim brought a found USB stick to reception instead of plugging it in' teaches more than ten generic posters.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the training page

Sources

FAQ

What is physical security in the context of awareness?

The behaviours and habits that stop an attacker from gaining physical access to your office, devices, papers or conversations. Think badging, screen locking, clean desk, handling USB sticks and visitors, and privacy in public spaces.

What is tailgating?

Walking through a controlled access door behind someone else without badging in yourself. One of the most successful physical attacks because people want to be polite. Countermeasure: politely ask for a badge or the purpose of the visit.

What do I do with a found USB stick?

Take it to reception or security, never plug it into a work device. Attackers do drop sticks around office buildings hoping someone connects them. A stick can auto-run malware or impersonate a keyboard.

May I have a confidential call on a train?

Preferably not. A large share of physical leaks in 2026 come from public calls overheard by others. Wait until a quiet space, or use a phone booth.

Do privacy screens really help?

Yes, for the most common risks. A privacy filter narrows the viewing angle of your screen so a neighbour on a train or café cannot read along. For a few euros it is a good measure.

How do I handle an unknown visitor without a badge?

Politely ask: "can I help you?" or "who are you here to see?". In doubt: escort to reception. Easier if the organisation has normalised the habit; leadership can role-model.

What physical measures does NIS2 require?

The NIS2 directive requires demonstrable measures for the physical side of information security where it affects continuity and confidentiality. That includes access control, securing devices and documents, and awareness training on physical behaviour.