Cyberdise AG

What CUSTOMERS DO WRONG when starting Cybersecurity Awareness Programs

Published Date:

  • November 24, 2025

Common possible missteps on customer-side in implementing Security Awareness projects

It’s like any other project: you think it’s too easy, you don’t listen or listen to the wrong experts, you think you’ll master it, or you think you can do it alone, you don’t talk to each other enough and the goals and requirements are not as clear as they should be. If you then start with an inappropriate mindset and management fails to recognize the purpose, value and benefits of awareness, then the project can get off to a very bumpy start.

This is also sometimes the case with the introduction of cybersecurity awareness programs.

To take a look at what can go wrong, we have examined the mistakes and false expectations that were documented in a USENIX study [1]. We then compared the results with our own experience and structured and completed the list.

The outcome is a summary of shortcomings, blind spots, and false assumptions made by organizations/customers when procuring or starting to operate phishing simulation and awareness programs. That’s what we find out:

  1. Assuming Awareness Is Plug-and-Play
  2. Underestimating Stakeholder Involvement
  3. Lack of Internal Project Ownership and Clear Project Goals
  4. Overvaluing Click Rates and Phishing KPIs
  5. Assuming Content Quality Without Validation
  6. Neglecting Master Data Quality
  7. Treating Security as “Someone Else’s Job” or “The Suppliers Job”
  8. Choosing Vendors Based on Price Bundling
  9. Overemphasis on Training, Not Testing
  10. Fear of Frightening Employees with Cyber Awareness
  11. No Metrics for Learning Outcomes
  12. Lack of Planning for Time and Resources
  13. Assuming One-Size-Fits-All for Global Teams
  14. Over-Reliance on Security Teams
  15. Ignoring Integration Challenges
  16. Procurement Effort Exceeds Project Execution Efforts
  17. Focusing on Content Instead of Service Capability
  18. Treating Awareness as a Compliance Checkbox

Common Pitfalls in Cybersecurity Awareness Projects

  1. Assuming Awareness Is Plug-and-Play:
    For bigger organizations it’s not easy nor simple. Believing that SAC/PSC is a low-effort, plug-and-play solution is a fundamental mistake. Many organizations assume the rollout is quick and easy, when in reality it requires over 14 months and significant cross-functional effort.
  2. Underestimating Stakeholder Involvement:
    More departments are usually involved than expected. In the studied organizations, up to 17 departments participate. It’s crucial to engage all stakeholders early – before the project starts – to prevent delays, frustration, and additional costs.
  3. Lack of Internal Project Ownership and clear Project Goals:
    Tasks like content review, testing, and integration are not clearly assigned, resulting in missed deadlines and poor learning content coverage. Project goals are not clearly defined so project success is often unclearly measured.
  4. Overvaluing Click Rates and Phishing KPIs:
    Organizations often rely too heavily on raw click and report rates as indicators of success, without evaluating actual behavioral change or content quality. There is no structured survey of the level of awareness before and after the project launch.
  5. Assuming Content Quality Without Validation:
    Decision-makers often assume the awareness content meets company needs without reviewing its alignment with policies, tone, cultural fit or accuracy.
  6. Neglecting Master Data Quality:
    Do you want to train and phish meeting rooms? Many rollout issues stem from outdated or inconsistent employee data, such as incorrect email addresses or department mismatches.
  7. Treating Security as “Someone Else’s Job” or “The Suppliers Job”:
    Security and awareness responsibilities are expected to be added on top of daily tasks, leading to stakeholder overload or disengagement. In the worst case there’s an expectation that the vendor will take care of the doing. In the domain of cybersecurity awareness & training there is a widespread misconception that you have nothing more to do with awareness if you hand over the job to so-called full service awareness providers.
  8. Choosing Vendors Based on Price Bundling:
    Procurement prioritizes bundled Security Awareness Campaign deals for price benefits, even when content quality, culture fit, content adoption capabilities or technical capabilities are lacking. Neglecting to examine the range, quality and pricing of services for more individual services also happens frequently.
  9. Overemphasis on Training, Not Testing:
    Organizations assume users will learn from eLearning courses and ‘teachable moments’ during training, but many users lack awareness for awareness. Therefore they ignore or resent training nudges. Simulated attacks and assessments are underutilized.
  10. Fear of Frightening Employees with Cyber Awareness:
    Some fear that unannounced simulations will scare employees. However, experience shows this fear is exaggerated and not representative of overall workforce reaction. You can also announce the phishing tests in advance without any problems. The impact on the click rate will hardly be noticeable.
  11. No Metrics for Learning Outcomes:
    There is often no pre- or post-assessment to measure learning. Only operational metrics like clicks and threat reports are used, offering no insight into actual knowledge gain.
  12. Lack of Planning for Time and Resources:
    Time and effort are not formally budgeted or underestimated. Period. Annotation: The cheapest incident is the one which never happens, right? But how do you want to quantify such things?
  13. Assuming One-Size-Fits-All for Global Teams:
    Language barriers, privacy laws, and cultural differences are common but rarely anticipated or addressed in advance. The problem is the mindset lying beneath, that standard modules fit the custom needs of the company.
  14. Over-Reliance on Security Teams:
    Business units expect InfoSec to handle everything, even though InfoSec often lacks the capacity or the content knowledge required for Cybersecurity Awareness Program evaluation and operation. Often there’s also a skill mismatch: Security Teams are mainly protectors, Security Awareness Programs need more playful ‘preventers’ and educators.
  15. Ignoring Integration Challenges:
    Organizations assume the phishing simulation campaigns integrate seamlessly with internal systems (e.g., mail servers, firewalls, APIs), but in practice, this is rarely the case. Proper whitelisting is fundamentally important for the success of awareness campaigns and is always the responsibility of the company.
  16. Procurement Effort Exceeds Project Execution:
    More effort goes into supplier selection than the awareness project itself. There is a false belief that selecting the right solution ensures success. Moreover, procurement complexity inflates project costs, as vendors pass these costs on.
  17. Focusing on Content Instead of Service Capability:
    There is a widespread misconception that large content libraries are inherently suitable. Little attention is paid to service quality or the provider’s support capabilities.
  18. Treating Awareness as a Compliance Checkbox:
    Projects are often driven by compliance or certification needs rather than a commitment to behavioral change. This results in weak alignment with strategic goals, low motivation, and insufficient leadership.

Conclusion

Awareness success doesn’t just hinge on the provider and its products. Bigger organizations must:

We’re excited to share more cybersecurity insights, news, and updates with you in the upcoming editions of this newsletter. However, if you don’t find this helpful, we’re sorry to see you go. Please click the unsubscribe button below.

Enjoyed reading? Subscribe to our blog!

    Other Resources