An IT manager at a manufacturing company once told me something that neatly sums up the problem many organisations struggle with: “Lukasz, we have a health and safety training every year, a GDPR training every year, and a cybersecurity training every year. Employees click through, pass the test and leave. And then they click on a phishing email two weeks later.” I hear this story regularly — across different industries, in different cities, from companies with 80 employees to plants with several thousand workers. The problem does not lie with the people. The problem lies in how the programme is built.
Security awareness is today one of the most important elements of a comprehensive cybersecurity strategy — and at the same time one of the most frequently implemented in a way that produces no real results. In this guide I have gathered knowledge from working with more than 200 nFlo clients in order to show how to build a programme that genuinely changes employee behaviour, rather than simply ticking regulatory boxes.
Why security awareness programmes do not work — and how to change that
Most awareness programmes do not work because they treat security education as a one-off event rather than a cultural shift. An annual online training lasting 45 minutes and ending with a multiple-choice test has as much effect on real employee behaviour as reading a streaming platform’s terms of service. Knowledge that is not regularly reinforced and embedded in the context of everyday work fades in line with Ebbinghaus’s well-documented forgetting curve — after one week employees remember just 20% of the material; after a month the trace is minimal.
The second fundamental mistake is designing the programme from an IT perspective rather than from the employee’s perspective. Trainings talk about “attack vectors” and “data exfiltration” instead of showing in an accessible way: “here is an email you received two weeks ago — here is why it was fake and what you should do.” Technical content, isolated from the realities of daily work, does not reach finance department staff, sales people or warehouse workers.
The third problem is the absence of a feedback loop. The programme is launched, completed and forgotten. Nobody measures whether employees actually click on phishing emails less often after the training. Nobody checks whether reports of suspicious messages increase. Without measurement there is no basis for improvement.
How to change this? The key lies in four principles: continuity instead of one-offs, context instead of abstraction, measurement instead of certificates, and culture instead of compliance. An effective awareness programme is a system that operates throughout the year — in small, regular doses, embedded in organisational realities, with measurable outcomes and the backing of leadership.
A one-off training does not build habits — just as a single visit to the gym does not build fitness. An effective awareness programme is a continuous process, not an event.
How to design an awareness programme tailored to the organisation’s profile
There is no single universal security awareness programme that will work in every organisation. An industrial company with a large number of production workers who mainly use terminals and phones has completely different needs from a law firm with several dozen lawyers working remotely on laptops and serving clients by email. Designing a programme must start with an analysis of the risk profile and the employee profile.
The first step is segmenting employees by risk. Not all employees are equally exposed to attacks, and not all need the same training. It is worth distinguishing at least three groups: high-risk employees (management, finance, legal, IT — i.e. people with access to sensitive data or administrative privileges), standard-risk employees (the majority of staff who use email and standard systems), and employees with specific needs (e.g. physical workers with limited computer access, who need short, visual materials).
The next step is an analysis of the current level of awareness. It is worth running an initial phishing simulation before launching any training programme — this makes it possible to measure the baseline and identify the group of employees requiring priority attention. In conversations with clients I regularly encounter situations where management assumes that “things are fine here”, while the baseline phishing rate turns out to be 35–40%.
It is also important to take industry specifics into account. The public sector — local authorities, hospitals, universities — faces attacks targeting ERP and email systems, but also has specific budgetary and organisational constraints. Manufacturing companies need to think about the security of OT systems and about employees who never sit at a computer. Service companies that rely heavily on email require advanced anti-phishing modules. The awareness programme should reflect these differences.
An effective awareness programme starts with the question: who are our employees, what do they need, and what is their real risk — not with choosing an off-the-shelf e-learning platform.
Which training formats are most effective — e-learning, workshops, simulations?
The answer most people managing training budgets do not want to hear is: no single format is sufficient. The effectiveness of an awareness programme grows with the diversity of formats and their regular use. Different formats reach different employees and serve different functions in building knowledge and habits.
E-learning and microlearning are a good starting point for a broad-reach programme. Their advantages include scalability, the ability to complete them at any time and place, and easy progress tracking. The key, however, is the format — modules should last 5–10 minutes (not 45), include interactive elements, scenarios based on real attacks, and end with questions testing understanding rather than memory. Platforms such as KnowBe4, Proofpoint Security Awareness Training and Cofense offer libraries of training materials with ready-made content, but it is worth supplementing them with material tailored to the specific organisation.
Workshops and live training build significantly deeper engagement than e-learning. Employees can ask questions, discuss real cases from their industry and interact with each other. They are particularly valuable for high-risk groups — management, finance, IT — where the investment in deeper understanding is justified. In conversations with clients I see that a workshop lasting 2–3 hours, showing how phishing works “from the inside”, changes participants’ outlook far more decisively than an hour of e-learning.
Phishing simulations and social engineering tests are the only tool that allows real behaviour to be measured, rather than merely declared knowledge. An employee can pass a test with distinction and click on a simulated phishing email four weeks later. Regular simulations create conditions for practising and reinforcing vigilance in a real work environment.
Communication campaigns and contextual materials — newsletters, posters, short videos, intranet announcements, infographics — serve the role of continuous reminders and maintaining vigilance between formal trainings. They are the cheapest element of the programme, but they require regularity and good content.
Tabletop exercises and scenario-based sessions for IT and management staff allow the organisation’s readiness to be tested at the process level. How do we respond to a reported incident? Who does what? Where are the bottlenecks in communication? These exercises go beyond awareness, but are an integral part of a mature programme.
The optimal mix for a mid-size organisation is: regular (every 2–4 weeks) short e-learning modules for all employees, monthly or quarterly phishing simulations, two live workshops per year for high-risk groups, and a continuous communication campaign.
How to measure the effectiveness of an awareness programme — metrics and benchmarks
You cannot manage what you do not measure. That statement sounds like a cliché, but in practice most awareness programmes operate without any metrics other than the percentage of completed trainings — and that is precisely the least valuable metric of all.
The most important operational metric is the phishing click rate — the percentage of employees who click on simulated phishing messages. This is a direct measure of the organisation’s resilience to the most common attack vector. The baseline value before the programme starts is often 25–40%. Mature programmes bring this below 5%. The industry benchmark (KnowBe4 Phishing Benchmark 2025) for organisations with an active awareness programme is 2–8% after 12 months.
A complementary metric is the reporting rate — the percentage of employees who not only did not click on a phishing email, but actively reported it. This is a measure of engagement and sense of responsibility. A high reporting rate (10–15%+) means that employees have become an active part of the defence system rather than merely a passive target of training.
It is also worth tracking the time from simulation to report — how quickly employees detect and report suspicious messages. A short time (under 60 minutes) indicates high vigilance and efficient reporting procedures.
At the programme level, measure the completion rate (percentage of completed modules), but interpret it with caution — a 100% completion rate alongside a 40% phishing click rate signals a programme that is not working. The trend of the phishing click rate over time is more important.
Incident metrics — the number and type of real incidents linked to the human factor — are the hardest to interpret in the short term, but over a yearly horizon should show a downward trend as the programme matures.
Completing a training measures declared knowledge. Clicking on a simulated phishing email measures behaviour under stress. Measure behaviour, not knowledge.
Benchmarks for planning purposes:
| Metric | Starting point | Target at 6 months | Target at 12 months |
|---|---|---|---|
| Phishing click rate | 25–40% | 12–18% | 2–8% |
| Reporting rate | 0–3% | 5–8% | 10–15%+ |
| Training completion rate | — | 80%+ | 90%+ |
| Time to report | 24h+ | 4h | 1h |
How to run phishing simulations without demotivating employees
Phishing simulations are one of the most effective tools in an awareness programme, but also one of the easiest to run in a way that destroys trust and demotivates employees. I have seen organisations where, following a simulation, employees felt deceived by their own employer — and that is an outcome that works against the goals of the programme.
The key principle is: the simulation must be a learning tool, not a trap. The goal is to build resilience, not to “catch” as many people as possible. This philosophy must be clearly communicated — before the programme is launched, management should inform employees that simulations will be conducted, why they are important, and what will happen if someone “clicks”.
What happens when an employee clicks? This question is central to the culture of the programme. The only right answer is: the employee is automatically redirected to a short, 5-minute training module explaining what “gave it away” in that particular message and how to recognise similar attempts in the future. No ridicule, no punishment, no public announcement. Learning through experience — yes. Shaming — absolutely not.
Designing scenarios requires a balance between realism and ethics. Scenarios should be realistic and based on current attacker techniques, but should not excessively exploit emotionally sensitive topics (e.g. illness, the death of a loved one, job loss). A well-designed scenario mimics typical attacks: a fake invoice from a “supplier”, a notification about an “account problem”, a request to “update data”. Overly exotic scenarios do not build resilience against real threats.
Frequency and variety are more important than difficulty. It is better to run simulations monthly with different scenarios and varying levels of difficulty than quarterly campaigns that always use the same patterns. Employees learn to recognise patterns rather than principles — varied scenarios build general vigilance, not just resilience to one type of attack.
After each simulation campaign it is worth conducting a brief results analysis at department level (without naming specific individuals) and sharing it with managers. This enables targeted follow-up actions where the biggest gaps exist.
A simulation is meant to teach, not to punish. An employee who “clicked” and immediately saw why — and what to do differently — becomes a stronger link than an employee who was never tested.
What new scenarios (ClickFix, QR phishing, deepfake) must be included in training?
The threat landscape is evolving faster than most training programmes. Organisations that build training content once a year and run it without updates are educating employees to defend against past attacks, while attackers are already using entirely new techniques. Three areas demand particular attention in 2026.
ClickFix is a social engineering technique that emerged in Poland and Western Europe in 2024–2025 and is exceptionally insidious because it exploits the instinctive desire to “fix a problem”. An employee lands on a website (posing, for example, as a CAPTCHA verification portal, an online tool or a company website) or receives a document that displays an error message and instructs them to “fix” it by pasting a command into a terminal or a Windows dialogue box. In reality, the command installs malware. Training must show this scenario directly: no legitimate website or document asks users to run commands in a terminal.
QR phishing (quishing) has exploded as an attack technique because QR codes are universally accepted and treated as safe. Employees are accustomed to scanning QR codes in restaurants, in car parks, in documents — and they carry that trust over to attacks. A malicious QR code in an email, on a printed poster or a sticker in an office lift leads to a phishing page posing as an authentication portal. Training must teach the principle: before you scan a QR code and visit the site, check the URL before entering any data.
Deepfake audio and video are entering the attacker’s arsenal in Business Email Compromise (BEC) and vishing (voice phishing) attacks. Cases in which finance department employees were persuaded to authorise wire transfers after a “video call with the CEO” or a “phone call from the CFO” have already been reported in Poland. Training must explain the deepfake mechanism and introduce verification procedures: regardless of how real a conversation seems, every non-standard financial instruction must be confirmed via a separate, independent communication channel.
Beyond these new techniques, trainings must regularly update phishing scenarios based on current trends: fake notifications from systems the organisation uses (Microsoft 365, HR platforms, e-commerce), seasonal attacks related to tax returns, year-end invoices, recruitment or holidays.
In conversations with clients I regularly hear that employees are confident they can recognise phishing — because they “know those emails with the Nigerian prince”. Meanwhile, modern spear-phishing is personalised, written without spelling mistakes and based on data from LinkedIn. The training programme must be as up-to-date as the threats.
How to engage leadership in the security awareness programme
This is, frankly, one of the most difficult elements of building a mature awareness programme. Not because leadership teams are irresponsible — but because they often do not understand why their personal involvement matters, and why this is not “an IT matter”.
The first principle: speak leadership’s language, not IT’s language. “The phishing click rate is 28%” is an abstraction for most CEOs. “Every fourth employee will click on a fake supplier invoice, and one recent ransomware campaign started in exactly that way and cost a company 2.3 million zlotys and two weeks of downtime” — that is a message that lands. When preparing materials for leadership, always operate in business numbers: cost of an incident, downtime, regulatory penalties, reputational risk.
Leadership must understand their share of the risk. Senior management is the number-one target of spear-phishing and BEC attacks — because they have access to financial systems, make decisions, and their emails are authorised by subordinates. At the same time they are often the group that undergoes training least frequently or is exempted from it altogether. Running a phishing simulation targeted at the board (with their knowledge and consent) and showing the results can change perceptions of the topic within a single meeting.
Leadership must also be visibly present as sponsors of the programme. “Tone at the top” — the tone set by the apex of the organisation — is one of the most powerful mechanisms for shaping culture. If the company’s CEO sends employees a message signed with their own name: “Security is a priority for us, and I have completed the training myself” — this builds a completely different climate than an automated message from the IT department. Leadership should be the first to complete the training and to say so openly.
Regular reporting to leadership should be short (one page) and focused on trends, not technical details. A comparison of the phishing click rate quarter on quarter, the number of incidents reported by employees, a comparison with industry benchmarks — these are the data points that allow leadership to assess whether the investment in the programme is producing results.
Leadership that treats awareness as “an IT project to be ticked off” creates an organisation where nobody takes security seriously. Leadership that is a visible sponsor of the programme builds a security culture.
How often to run training and tests — the optimal cycle
The question of frequency is one of the most common ones I hear from clients — and the answer is not as simple as “once a quarter”. The optimal cycle depends on the current maturity level of the organisation, the available resources and the risk profile. Several proven principles can, however, be identified.
Formal training (e-learning modules or workshops) should take place at least twice a year for all employees, with a more intensive cycle for high-risk groups (management, IT, finance) — quarterly or every two months. New employees should undergo a security onboarding training in their first week of work — this is a moment when people are naturally receptive to new rules and procedures.
Phishing simulations should take place at least once a month, although quarterly campaigns are a reasonable starting point for organisations at the beginning of their programme. Regularity is more important than intensity — a monthly simulation of moderate difficulty is significantly more effective than a quarterly campaign with maximally challenging scenarios. It is also important for simulations to be run at different times of the week and month — real attacks do not wait for the first Monday of the quarter.
Continuous communication — newsletters, alerts about new threats, short “security tip of the week” messages — should run every week or every two weeks. This is the cheapest element of the programme and one of the most effective at maintaining vigilance. Many organisations use tools built into awareness platforms (KnowBe4, Proofpoint) to automate this communication.
Social engineering tests (conducted by external specialists and covering vishing, physical entry tests, tailgating tests, among others) are worth running once or twice a year as part of a deeper assessment of the security culture. The results of such tests are extremely valuable for leadership and HR departments as a measure of the organisation’s real resilience.
Programme review and update should take place at least once a year — with an analysis of the collected metrics, an update of phishing scenarios, a review of training content in light of new threats and regulations. It is also worth conducting short “pulse check” surveys among employees in order to understand how they perceive the programme and what they find frustrating.
What does the security awareness programme maturity model look like?
The maturity of an awareness programme can be described in five levels that help assess the current state and plan the development path. The model below is a synthesis of the frameworks used by nFlo in its work with clients.
| Level | Name | Characteristics | Key metrics | Action priorities |
|---|---|---|---|---|
| 1 | Non-existent | No formal programme. Ad hoc training or none at all. Awareness treated as a technical IT matter. | Phishing rate: 30–50%. No data. | Launch baseline phishing test. Basic onboarding training. Appoint programme owner. |
| 2 | Basic | Annual “compliance” training. Sporadic simulations. No employee segmentation. No measured KPIs. | Phishing rate: 20–35%. Completion rate 60–75%. | Increase training frequency. Launch recurring simulations. Define KPIs. Management communication about the importance of the programme. |
| 3 | Developed | Regular training (quarterly+). Monthly simulations. Risk group segmentation. Basic KPIs measured (click rate, completion). | Phishing rate: 8–15%. Reporting rate 3–7%. Completion rate 85%+. | Implement microlearning. Expand scenarios to include new techniques. Engage managers as ambassadors. First social engineering tests. |
| 4 | Advanced | Programme tailored to the risk profile of each group. Automatic training paths triggered by a click. Culture of incident reporting. Regular social engineering tests. | Phishing rate: 3–7%. Reporting rate 8–12%. Time to report < 2h. | Gamification and reward programmes. Integration with threat intelligence. Regular tabletop exercises. Reporting to leadership. |
| 5 | Exemplary | Security awareness embedded in the organisational culture. Employees as an active layer of defence. Continuous measure-analyse-improve loop. Programme treated strategically by C-level. | Phishing rate: <3%. Reporting rate 12%+. Time to report < 1h. Programme ROI measured and reported. | Mentoring internal security ambassadors. Participation in threat intelligence sharing. Contributing to the development of industry regulatory standards. |
Most organisations implementing a programme from scratch start at level 1 or 2. Moving to level 3 typically requires 6–12 months of consistent work. Level 4 is achievable within 1–2 years with a disciplined approach and leadership support. Level 5 is a long-term goal reached by organisations that treat security as a cultural value, not merely a compliance requirement.
An important note: advancement between levels does not happen by itself. It requires resources, commitment and — in most cases — the support of external specialists who bring current tools, scenarios and an objective assessment.
What role do nFlo social engineering tests play in an awareness programme?
Social engineering tests are more than an elaborate phishing simulation. They are a professional, structured assessment of the entire organisation’s resilience to psychological manipulation — conducted by external specialists using the methods of real attackers.
Within nFlo’s services, social engineering tests encompass several layers. The first consists of phishing and vishing campaigns — simulated email and telephone attacks, designed on the basis of current techniques, with results analysis and a report identifying vulnerability groups. The second layer consists of physical tests — attempts to enter protected premises, testing identity verification procedures, assessing vulnerability to tailgating and pretexting. The third, most advanced layer consists of tests targeting specific individuals or processes — for example, a BEC attack simulation against the finance department or a test of the invoice approval process.
What distinguishes social engineering tests from internal phishing simulations? Above all, the external perspective and the absence of prior knowledge of the organisation — nFlo specialists operate like a real attacker who starts with OSINT and builds scenarios based on publicly available information. This makes it possible to identify gaps that an internal programme may overlook because it is too familiar with its own organisation.
Social engineering test reports contain not only statistics but above all a narrative: what the attack looked like step by step, what worked on the defence side and what did not, what specific process and training changes are recommended. Such a report is often one of the most persuasive documents for leadership, who can see a real, step-by-step attack on their own organisation.
nFlo works with more than 200 clients, delivering 500+ security projects, with a 98% retention rate. Social engineering tests are an integral part of security services and are designed to strengthen, not replace, internal awareness programmes. The combination of a well-built internal programme and regular external tests gives an organisation the most complete picture of its resilience to the human factor.
FAQ — frequently asked questions
Is a security awareness programme required by regulation?
In Poland and the EU, several regulations impose the requirement to train employees in information security. NIS2 (the directive on the security of network and information systems) requires essential and important entities to conduct regular training for personnel, including management. ISO 27001 in section A.7.2.2 requires information security training and awareness as an element of the management system. GDPR imposes an obligation to train employees who process personal data. It is worth treating the awareness programme as an investment in operational security, not merely as a box to be ticked.
How much does implementing an awareness programme cost?
Costs vary greatly depending on the approach. SaaS platforms for awareness management (KnowBe4, Proofpoint SAT, Cofense) cost 10–30 USD per user per year for mid-size organisations. External social engineering tests cost from several thousand to several tens of thousands of zlotys depending on the scope. Live workshops — the cost of a trainer and employees’ time. Internal costs (time of the programme coordinator, communication, reporting) are harder to estimate. For an organisation of 200–500 people, the total annual budget for a solid programme is typically 50–150 thousand PLN — and the cost of a single serious incident far exceeds that figure many times over.
How to convince employees that training is not “yet another pointless obligation”?
The key is context and relevance. A training that shows real cases — “a company in your industry lost 1.2 million zlotys after a bookkeeper clicked on an invoice like this” — lands completely differently from abstract presentations about types of malware. It is also worth communicating results: “after the last simulation campaign our click rate dropped from 31% to 9% — that really makes a difference.” Employees engage when they see that the programme has effects and that their effort matters.
What to do with employees who repeatedly click on phishing simulations?
Repeated clicks are a signal that standard training is not reaching this person — and they require a different approach, not stricter punishment. It is worth checking whether the employee understands the material (a language barrier? technology issues?), whether they have access to training in their language or in a format that suits them, and whether their direct manager talks to them about security. For employees who repeatedly “fall for” phishing it is worth considering dedicated, short one-on-one sessions or a tailored training module. Drastic penalties — even if the regulations permit them — typically demotivate and reduce the likelihood of real incidents being reported.
How to measure the ROI of an awareness programme?
The ROI of an awareness programme is difficult to calculate precisely, but it can be estimated. The starting point is the cost of a typical incident in your industry (the Ponemon Institute publishes annual reports with this data — the average cost of a data breach in the EU in 2025 is over 4 million EUR). If the programme has reduced the phishing click rate from 35% to 5%, you can calculate the estimated reduction in the probability of a phishing-initiated incident and multiply it by the expected cost of an incident. This is approximate, but it allows for a conversation with leadership in financial terms they understand.
Related topics
Security awareness is one of the elements of a comprehensive strategy for protection against the human factor. Complementary reading includes articles on social engineering tests, phishing and cybersecurity maturity models.
- What is security awareness and why employee education is the foundation of cybersecurity?
- ClickFix — a new social engineering technique you need to know
- How to run simulated phishing campaigns — a complete guide
- Social engineering attacks: baiting, pretexting, tailgating
Find out more
If you are wondering how to implement or improve a security awareness programme in your organisation, I am happy to arrange a free consultancy call. In 30 minutes we can discuss the current state of the programme, identify the key gaps and propose priority actions.
Check our services
nFlo offers comprehensive support in building security awareness programmes: from an audit of the initial state, through programme design and platform selection, to regular social engineering tests and live training. We work with organisations in the public sector, manufacturing, financial services and critical infrastructure.
- Social engineering tests — phishing, vishing, physical tests, BEC simulation
- Security awareness training — workshops for employees and management
- Awareness programme as a service — programme design, implementation and management
- Tabletop exercises — testing incident response procedures
Contact nFlo and find out how we can strengthen the human layer of defence in your organisation.
Sources
- KnowBe4. Phishing by Industry Benchmarking Report 2025. KnowBe4 Research, 2025.
- Verizon. 2025 Data Breach Investigations Report (DBIR). Verizon Business, 2025.
- IBM Security / Ponemon Institute. Cost of a Data Breach Report 2025. IBM, 2025.
- ENISA. ENISA Threat Landscape 2025. European Union Agency for Cybersecurity, 2025.
- Proofpoint. State of the Phish 2025. Proofpoint, Inc., 2025.
- SANS Institute. Security Awareness Report 2025: Managing Human Cyber Risk. SANS, 2025.
- Ebbinghaus, H. Über das Gedächtnis: Untersuchungen zur experimentellen Psychologie. Leipzig: Duncker & Humblot, 1885.
- NIST. SP 800-50 Rev. 1: Building a Cybersecurity and Privacy Learning Program. National Institute of Standards and Technology, 2023.
- CERT Polska / CSIRT GOV. Raport o stanie bezpieczeństwa cyberprzestrzeni RP 2024. CERT Polska, 2025.
- nFlo. Internal data from security awareness projects and social engineering tests for 200+ clients, 2023–2025.
