How do I build an effective security awareness programme?

Start with a risk analysis and baseline measurement, choose a platform with risk-based learning material, set up an annual calendar, combine training with phishing simulations and measure quarterly.

How large should the security awareness budget be?

European benchmarks are €5-20 per employee per year depending on the platform and level of support. Compare this to the average cost of a data breach (>€4M).

How do I get management involved in security awareness?

Present click rates and risk figures in board language (financial risk, reputational damage, legal liability). Have the board complete a short training themselves — this increases sense of urgency.

Which topics should a security training cover?

Which topics belong in a good security training for employees? In 2026 the list looks different from five years ago. AI literacy and modern phishing forms have been added, and old checklists with 'strong password, rotate every 30 days' are not just outdated but in some cases harmful. What belongs in a 2026 base programme, what in role-based deep-dives, and what no longer fits?

The base programme for everyone: seven core topics

Almost every 2026 employee needs the same base knowledge, regardless of role. The seven topics every base programme should include:

Phishing and social engineering. Not just email but also smishing, vishing, quishing and BEC. AI-generated variants included. Rule of thumb: verify unusual requests via a second channel.
Password management and authentication. Length over complexity, password manager by default, MFA preferring authenticator app or hardware key, transition to passkeys and FIDO2.
Data protection and GDPR. What personal data is, the six GDPR principles, purpose limitation and retention, the reporting route on a suspected breach.
Safe device use. Screen lock, disk encryption, updates, separating work and personal, fast reporting on loss or theft.
Safe cloud and collaboration. Conscious sharing (not "anyone with the link"), MFA on cloud accounts, only approved services, recognising suspicious OAuth prompts.
AI literacy. Mandatory since EU AI Act article 4: what AI is, what risks exist, which approved services exist, which data does not belong in public AI systems.
Reporting culture and incident response. How to report suspicious messages or incidents, why blame-free reporting is critical, and what the first response is on a suspected compromise.

Role-based deep-dives for risk groups

Not every employee carries the same risk. A workable segmentation:

Finance departments get extra modules on CEO fraud and BEC, payment verification protocols (callback on a known number, four-eyes above threshold), recognising supplier changes as an attack vector, deepfake voices on unusual financial requests.

IT staff get MFA-bypass techniques (push bombing, AitM, SIM swap), helpdesk impersonation and how to protect employees from it, operational incident response, handling personal and shared credentials.

HR gets GDPR in recruitment, AI Act on use of AI tools in HR processes, employee personal data, confidentiality of internal reports.

Healthcare staff get NEN 7510 topics: medical data, patient safety, chain agreements with subcontractors, physical security in patient environments.

Board members follow the Cbw article 24 track: governance, personal liability, threat landscape at high level, tabletop exercises.

What is new in 2026 and what is outdated

Four topics essential in 2026 but often missing from older programmes:

AI literacy and safe AI use. Mandatory since February 2025 under EU AI Act. Which AI services are approved, which data never in public models, how to recognise AI-output risks (hallucination, bias).
MFA bypass and passkeys. Not only enabling MFA, but knowing MFA fatigue, adversary-in-the-middle and SIM swap exist, and how passkeys protect against them.
Quishing and QR codes. Largely absent from pre-2024 training but routine in 2026. Email filters cannot read QR codes; employees scan with personal phones.
Deepfake voices and CEO fraud 2.0. Voice cloning from under ten minutes of audio is 2026 daily reality. Process-based verification is the only workable defence.

Topics that are truly outdated

Three patterns common in older modules that should be removed:

'Strong passwords = uppercase + digit + symbol, rotate every 30 days.' NIST and the Dutch NCSC have written the opposite for years: length over complexity, no mandatory rotation. A module preaching 30-day rotation teaches demonstrably weaker behaviour.

'You spot phishing by language mistakes.' AI phishing is flawless. A module still using this as cue trains the wrong pattern.

'Don't click on a link in an email.' Too abstract; staff will click anyway. Better: check the domain, hover for the real destination, prefer a bookmark when verifying an account.

How to spread topics across the year

A workable plan distributes the seven base topics plus role deep-dives across twelve months. Example:

January GDPR and data protection, February phishing and social engineering, March passwords and authentication, April AI literacy, May devices and remote work, June cloud and collaboration, July summer break or optional personal module, August phishing simulation and review, September reporting culture and incident response, October role-based deep-dive per department, November board theme (Cbw art. 24) and compliance, December year-in-review and outlook.

For compliance you link the cycle to a formal base training at onboarding plus annual AUP acceptance. For behaviour you combine monthly rhythms with phishing simulations (quarterly) and direct feedback on clicks.

Vary the form: not only e-learning but posters, a short video from the executive, internal news with anonymised examples from real incidents. Hybrid beats uniform.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the training page

Sources

FAQ

Which topics belong in a base training?

Phishing and social engineering, password management and MFA, data protection/GDPR, device security, cloud and collaboration, AI literacy, reporting culture and incident response. Seven core topics for nearly any organisation.

What is role-based deep-dive?

Extra modules for risk groups: finance (CEO fraud, BEC), IT (MFA bypass, incident response), HR (GDPR and AI Act in recruitment), healthcare (NEN 7510, medical data), board (Cbw article 24).

What is new in 2026 vs older programmes?

AI literacy, MFA-bypass awareness, quishing/QR phishing, and deepfake voice attacks. None or barely present in pre-2024 modules.

Which topics are outdated?

30-day password rotation, "spot phishing by language errors", and generic "do not click links". Research shows these now backfire.

How many topics per year is realistic?

Seven core topics across twelve microlearning modules works for most organisations. One theme per month with form variation and optional role deep-dives.

Must AI literacy really be in a base programme?

Yes. Mandatory since 2 February 2025 under EU AI Act article 4 for any organisation using AI. In practice nearly everyone uses an AI tool, so an AI module in base is no longer optional.

How do I combine topics with phishing simulations?

Monthly microlearning handles theme; quarterly simulation tests in practice. On a click, immediate microlearning feedback with the three cues the employee could have spotted.