In CYBERDISE AWARENESS, two concepts are often used interchangeably – attitude and behavior. They are related, but they are not the same. Confusing them is one of the main reasons why many awareness programs fail to deliver lasting risk reduction.

Attitude is shaped primarily through information, communication, and training. Traditional awareness programs focus heavily on this layer: policies, videos, e-learning, and explanations of “what could go wrong.”

Research confirms that training can indeed influence attitude. Employees often report higher awareness, stronger responsibility, and better understanding after training interventions.

In CYBERDISE AWARENESS, two concepts are often used interchangeably – attitude and behavior. They are related, but they are not the same. Confusing them is one of the main reasons why many awareness programs fail to deliver lasting risk reduction.

Attitude is shaped primarily through information, communication, and training. Traditional awareness programs focus heavily on this layer: policies, videos, e-learning, and explanations of “what could go wrong.”

Research confirms that training can indeed influence attitude. Employees often report higher awareness, stronger responsibility, and better understanding after training interventions.

What features were we able to roll out? A review.

Modern attacks happen in seconds, but awareness teams often work in days or weeks. We wanted to close this gap. CYBERDISE 2025 brings together AI reconnaissance, autonomous campaign components, multi-organizational management, and a revamped content ecosystem. It’s a platform that not only trains, but also systematically scales security culture—from medium-sized businesses to MSSPs. At the end of the year, we will showcase the features developed this year that will help you achieve this goal. Which ones are you not familiar with yet? Take a look for yourself at the end of this article!

Recent discussions around the effectiveness of cybersecurity awareness have been reignited by high-profile media coverage. Most prominently, a Wall Street Journal article drawing on the study “Understanding the Efficacy of Phishing Training in Practice” questions whether phishing simulations and awareness training lead to meaningful risk reduction.

The debate itself is healthy. The conclusions drawn from it, however, require more nuance.

A growing body of empirical research shows that well-designed cybersecurity awareness programs do improve real-world cyber risk behavior. What often fails is not awareness as such, but narrow interpretations of what awareness is, how it should be embedded organizationally, and how success should be measured.

How many phishing simulations should be conducted and how frequently users should be confronted with cybersecurity eLearning is a recurring topic in consulting for awareness programs and campaigns.
This topic is far from academic – it’s highly relevant for practical application.
A sensitization effect, once achieved, begins to crumble after about three months, and after six months, maximum erosion has essentially been reached. There are solid studies on this, and our latest scientific research shows a very similar result.
However, the statements made about the quantity and timing of awareness measures must be considered with nuance. It would be dangerous to derive simple, universally applicable rules from them.

Common possible missteps on customer-side in implementing Security Awareness projects

It’s like any other project: you think it’s too easy, you don’t listen or listen to the wrong experts, you think you’ll master it, or you think you can do it alone, you don’t talk to each other enough and the goals and requirements are not as clear as they should be. If you then start with an inappropriate mindset and management fails to recognize the purpose, value and benefits of awareness, then the project can get off to a very bumpy start.

Phishing emails are becoming harder to detect, even for humans. A recent study tested various large language models (LLMs) for their ability to recognize malicious intent in emails, revealing significant differences in performance.

One standout was Claude 3.5 Sonnet, which scored over 90% at low false positive rates and even flagged suspicious emails that humans overlooked. When explicitly asked to assess suspicion, it correctly classified all phishing emails while avoiding false alarms on legitimate messages. However, it struggled with conventional phishing emails, achieving only an 81% true-positive rate in that category…

Company founders pitch investors to get funding and other help for their business idea. Reverse pitching turns the tables: the investors, business angels and VC’s apply to the startup entrepreneurs to be allowed to invest in their companies.

Is this a good idea? No and yes ☺

Over the past 15 years, I’ve had hundreds of conversations with investors – and yet, I’ve never really thought about what it would be like if an investor had to pitch to me, not the other way around.

What would I look for?

Conversely, does this mean that once you have achieved product-market fit, you can start scaling immediately and you are sure to be successful? I would say: maybe, probably not.

Yes, 9 out of 10 start-ups fail. And yes, most of them probably failed because they offered something that the market didn’t really want. But I do have some reservations about the rest becoming successful because the PMF has been reached.

In the early days, cybersecurity training was not yet fully understood. Most attempted to educate their staff through training, and the first phishing campaigns for educational purposes were conducted. And compliance wasn’t that important yet.

A company exists because the employees believe there is a way, the customers believe it solves a problem, and the investors believe it is worth something 😉

Despite comprehensive security awareness training, many organizations still continue to have cybersecurity breaches resulting from human error. We believe that it is because many people understand cybersecurity threats in theory but struggle to apply the knowledge in practice consistently to act safely.

This gap between risk attitude (knowing what is risky) and risk behavior (actually acting securely) is what today’s article will be about 😉

The IBM Cost of a Data Breach Report has been published every year for two decades.

It’s often read for the numbers: the global average breach cost (now $4.4M), the top industries, or the fines (which in the U.S. push average costs to $10M).

But look a little deeper and with your own expert-view, and this year’s report says something more fundamental about cybersecurity awareness.

Cybersecurity awareness training is a vital component of organizational defense strategies. However, many awareness providers or solutions are not able to cover the requirements of the customers. We list and summarize common weaknesses of security awareness providers and practical steps (bigger) organizations can take to address them.

The Marks & Spencer Cyber Attack shows it. Large companies with complex organizations, many languages, multiple LMS systems, heterogeneous metadata landscapes and high process variance need cybersecurity awareness solutions that are designed to meet such challenges. Otherwise, employee awareness of cyber risks will degenerate into a farce or there is a risk of group-wide failure.

The similarities and differences are impressive – in our irregular series ‘The biggest cyber heists’, we look at the biggest cyber heists in history. Today’s post analyzes the bybit, MGM and Sony hack. We summarize what happened, how it happened, who noticed it, what damage was done and what the consequences were. We then examine what measures would have been useful to counteract this and whether something could have been done with more vigilance.

In today’s hyper-connected digital world, information is power. Unfortunately, this power isn’t just in the hands of the good guys. Cybercriminals are increasingly turning to Open Source Intelligence (OSINT) to fuel their attacks, particularly phishings. By exploiting publicly available information, attackers can craft highly personalized and convincing scams that are harder to detect and resist.

A great awareness solution for complex needs – What began a year and a half ago as a business idea for AI-driven awareness tailored to more complex customer needs has truly made an impact! CYBERDISE now trains and tests over 40,000 users. With the latest version 2.5, we have demonstrated that our solution is competitive and is licensed by reputable large clients and partners.
Specialized cybersecurity service providers and larger organizations have unique requirements for their cybersecurity awareness programs. CYBERDISE effectively meets complex and specialized security awareness training needs.

The U.S. presidential election was hit with billions of cyberattacks. 6 billion, to be exact. Fake news, phishing scams, deepfakes – you name it. Somehow, though, things held up.
Now, Germany’s snap election is just weeks away, and experts are already sounding the alarm. Phishing attacks are on the rise. Disinformation is spreading. Fake news isn’t just background noise anymore – it’s being used to manipulate public opinion and mess with democracy.

While “Carry-On” primarily focuses on physical security in an airport, its themes resonate deeply with today’s cybersecurity challenges. To us, the movie serves as a stark reminder of how vulnerabilities – both technological and human – can be exploited with devastating consequences. Let’s explore key moments

GDPR vs NIS2 vs ISO 27001: Key Differences Explained. Compliance isn’t just a buzzword – it’s a cornerstone of trust, security, and resilience. But navigating the differences between GDPR, NIS2, and ISO 27001 can feel like solving a puzzle. What do you need to know, and why does it matter? Let’s break it down.

Published Date: December 5, 2024 Have you watched “The Great Hack” movie? A must-watch for insights into the psychology behind phishing attacks! Psychology and Phishing Attacks Phishing attacks rely heavily on psychological tricks, which is why understanding these tactics is …

Did you know that it-sa Expo & Congress in Nuremberg is one of Europe’s leading cybersecurity events? This year, it set new records with 25,830 trade visitors from 65 countries and 897 exhibitors.

A $25 Million Deepfake Scam: The Rise of AI-Powered Cybercrime Quishing: The Rise of QR Code Phishing Scams German company, Diehl Defense, targeted by North Korean Hackers

Why Today’s Phishing Exercises (Simulations) Are Mostly Stupid? Published Date: November 4, 2024 The “Cybersecurity Awareness” Paradox There’s something almost ironic about cybersecurity awareness: on one hand, cybersecurity is the lifeline that can make or break a company in the …

Free Phishing Simulation and Awareness Training with the Cyberdise Freemium Edition – DIY Cybersecurity Awareness. Published Date: October 21, 2024 A top-notch, free phishing simulator with cybersecurity e-learning and complete functionality: Just in time for Cybersecurity Awareness Month and it-sa …

Beware of Quishing: The Rise of QR Code Phishing Scams Published Date: September 22, 2024 Beware of Quishing – The New Phishing How scammers hide harmful links in QR codes you are scanning Have you ever scanned a QR code …

The Universal Simulation and Awareness Solution: Cyberdise 2.0 Published Date: September 10, 2024 Cybersecurity Awareness Meets AI – THE Universal Solution You Need Protect Your Organization by Empowering Your Employees Cyber threats are evolving rapidly, and your organization’s defense starts …

It is now undisputed that a Cyber Attack has become one of the biggest and most costly threats to companies. A secure technical infrastructure is often no …