How do I build an effective security awareness programme?

Start with a risk analysis and baseline measurement, choose a platform with risk-based learning material, set up an annual calendar, combine training with phishing simulations and measure quarterly.

How large should the security awareness budget be?

European benchmarks are €5-20 per employee per year depending on the platform and level of support. Compare this to the average cost of a data breach (>€4M).

How do I get management involved in security awareness?

Present click rates and risk figures in board language (financial risk, reputational damage, legal liability). Have the board complete a short training themselves — this increases sense of urgency.

Why security awareness often fails

Practical guidance on why security awareness often fails for organizations that want to improve secure behavior structurally.

Updated: February 2026 Current

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page

Alain Rees

Founder & Security Awareness Specialist · 2LRN4

When less than 1% of employees engage with security awareness training, the cause is rarely the content. A summary of an originally Dutch article by Alain Rees on why awareness programmes fail and why the diagnosis is almost always cultural, not editorial.

Why this article exists

This article was originally published in Dutch as part of a weekly series by Alain Rees. The full content is preserved in the original language to maintain voice and accuracy of the Dutch security awareness market context.

For English-speaking readers we provide the summary above. The full Dutch text is one click away — and most automatic translation tools handle the content well.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the program page

FAQ

Is the full article available in English?

Not at the moment. The original is in Dutch; the link above leads to the canonical NL text.

Why is the content kept in Dutch?

The piece references Dutch market specifics (Cbw, NEN 7510, Dutch organisational culture) where Dutch terminology is canonical.

External source: NIST - Security awareness and training

Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles