Blog – EN

Recent discussions around the effectiveness of cybersecurity awareness have been reignited by high-profile media coverage. Most prominently, a Wall Street Journal article drawing on the study “Understanding the Efficacy of Phishing Training in Practice” questions whether phishing simulations and awareness training lead to meaningful risk reduction.

The debate itself is healthy. The conclusions drawn from it, however, require more nuance.

A growing body of empirical research shows that well-designed cybersecurity awareness programs do improve real-world cyber risk behavior. What often fails is not awareness as such, but narrow interpretations of what awareness is, how it should be embedded organizationally, and how success should be measured.

Recent discussions around the effectiveness of cybersecurity awareness have been reignited by high-profile media coverage. Most prominently, a Wall Street Journal article drawing on the study “Understanding the Efficacy of Phishing Training in Practice” questions whether phishing simulations and awareness training lead to meaningful risk reduction.

The debate itself is healthy. The conclusions drawn from it, however, require more nuance.

A growing body of empirical research shows that well-designed cybersecurity awareness programs do improve real-world cyber risk behavior. What often fails is not awareness as such, but narrow interpretations of what awareness is, how it should be embedded organizationally, and how success should be measured.

How many phishing simulations should be conducted and how frequently users should be confronted with cybersecurity eLearning is a recurring topic in consulting for awareness programs and campaigns.
This topic is far from academic – it’s highly relevant for practical application.
A sensitization effect, once achieved, begins to crumble after about three months, and after six months, maximum erosion has essentially been reached. There are solid studies on this, and our latest scientific research shows a very similar result.
However, the statements made about the quantity and timing of awareness measures must be considered with nuance. It would be dangerous to derive simple, universally applicable rules from them.

Common possible missteps on customer-side in implementing Security Awareness projects

It’s like any other project: you think it’s too easy, you don’t listen or listen to the wrong experts, you think you’ll master it, or you think you can do it alone, you don’t talk to each other enough and the goals and requirements are not as clear as they should be. If you then start with an inappropriate mindset and management fails to recognize the purpose, value and benefits of awareness, then the project can get off to a very bumpy start.

Phishing emails are becoming harder to detect, even for humans. A recent study tested various large language models (LLMs) for their ability to recognize malicious intent in emails, revealing significant differences in performance.

One standout was Claude 3.5 Sonnet, which scored over 90% at low false positive rates and even flagged suspicious emails that humans overlooked. When explicitly asked to assess suspicion, it correctly classified all phishing emails while avoiding false alarms on legitimate messages. However, it struggled with conventional phishing emails, achieving only an 81% true-positive rate in that category…

Company founders pitch investors to get funding and other help for their business idea. Reverse pitching turns the tables: the investors, business angels and VC’s apply to the startup entrepreneurs to be allowed to invest in their companies.

Is this a good idea? No and yes ☺

Over the past 15 years, I’ve had hundreds of conversations with investors – and yet, I’ve never really thought about what it would be like if an investor had to pitch to me, not the other way around.

What would I look for?

Conversely, does this mean that once you have achieved product-market fit, you can start scaling immediately and you are sure to be successful? I would say: maybe, probably not.

Yes, 9 out of 10 start-ups fail. And yes, most of them probably failed because they offered something that the market didn’t really want. But I do have some reservations about the rest becoming successful because the PMF has been reached.

In the early days, cybersecurity training was not yet fully understood. Most attempted to educate their staff through training, and the first phishing campaigns for educational purposes were conducted. And compliance wasn’t that important yet.

A company exists because the employees believe there is a way, the customers believe it solves a problem, and the investors believe it is worth something 😉