How do I build an effective security awareness programme?

Start with a risk analysis and baseline measurement, choose a platform with risk-based learning material, set up an annual calendar, combine training with phishing simulations and measure quarterly.

How large should the security awareness budget be?

European benchmarks are €5-20 per employee per year depending on the platform and level of support. Compare this to the average cost of a data breach (>€4M).

How do I get management involved in security awareness?

Present click rates and risk figures in board language (financial risk, reputational damage, legal liability). Have the board complete a short training themselves, this increases sense of urgency.

Why security awareness often fails

"When fewer than 1% of employees take part, it is rarely down to the training content." I recently heard at a security event that education institutions had ended their contract with their security awareness vendor because only 50 of thousands of employees took part. The conclusion: "The content does not fit; let's do it ourselves." An understandable reaction, but a misleading one. In practice it is almost always about communication, change management, culture and engagement — not about the content of a module.

When nobody takes part, it is rarely the content

Anyone who has ever rolled out an awareness programme knows that content is rarely the cause of low engagement. Of course it helps if material is recognisable, current and pleasant to follow. But even the best videos and e-learning miss their mark if employees feel it is "an IT thing", or something that is not really important.

In such situations the challenge does not lie with the training, but with the way the organisation communicates about it and makes its importance visible. An organisation that drops a vendor over "poor content" does not solve the real problem, and will be stuck again next quarter, no matter who supplies the content.

Meaning, leadership and rhythm — the real engine

Behaviour only changes when people understand why something matters. So it does not start with a course, but with meaning. When employees do not experience what digital safety has to do with their own work, awareness stays abstract — something you might make time for one day when your calendar is empty. And of course it never empties.

There is something else: employees sense unerringly whether a topic is carried by management. If a board does not explicitly state why awareness matters, or if managers do not encourage participation, non-commitment arises. And non-commitment is the biggest enemy of change.

Rhythm also plays a crucial role. Awareness works like any routine: you build it through repetition. A message on the intranet, six weeks of silence, and then suddenly a mandatory training: that does not feel relevant. But a recognisable rhythm — for example a short theme each month — makes the subject normal, manageable and predictable.

Awareness is change management, not content management

What is often forgotten is that awareness is essentially change management. It takes time, explanation, recognition and patience. Employees must be able to place the risk in their own context. Sometimes it even works better to use examples from private life first, because that lowers the threshold.

Making your own content can certainly be valuable, especially if it is organisation-specific or sector-specific. But it does not solve the core problem when the underlying preconditions are missing. Content is not an engine; it is fuel. Without an engine nothing moves, however good the fuel.

You build culture together

In organisations where awareness does work, you see that the conversation about digital safety is not limited to the IT department. Managers refer to it in meetings. HR ties it to professional conduct. Communications ensures visibility. Ambassadors across the organisation share examples and experiences.

Once that foundation is in place, participation follows by itself. Then it barely even matters which provider you choose — the organisation itself makes sure the programme lands. If we start there, soon it will not be one percent taking part, but eighty.

FAQ

What is the real cause of low participation?

In 9 out of 10 cases: a lack of visible leadership and a missing link between the topic and the employee's work. Content comes in third place.

Does making your own content help?

Only if the organisational preconditions are already in place. Otherwise the problem shifts without being solved, and you add content maintenance to your own plate.

How do you measure whether the problem is content or organisation?

Compare participation between teams within the same organisation. If some teams reach 80% and others 5%, it lies with management and culture, not with content.

What is the first step to turn this around?

A board that visibly takes part — literally finishes a module and talks about it. Without leadership, all other interventions sink.