Cybersecurity Awareness Training That Actually Works
Real‑world insight into making IT security awareness effective
Cybersecurity awareness training is no longer purely an IT issue; it affects the entire organisation. At Anhalt University of Applied Sciences, a holistic approach is therefore being pursued to embed information security sustainably – including through new, engaging learning formats. Because cybersecurity awareness is more than a mandatory training requirement: it is a decisive factor in organisational security.
But how can organisations not only reach employees, but also bring about lasting behavioural change?
Susanne Nitschke, Information Security Officer at Anhalt University of Applied Sciences, shares her perspective as an end‑user as she chats with Dr. Robert Lohmann, Product Manager at Scheer IMC and expert in digital learning solutions, about what makes IT security awareness truly effective.
Robert Lohmann: Cybersecurity awareness has been an important topic for years. Yet we see that many organisations still struggle to reach employees in a sustainable way. From your perspective, why is that?
Susanne Nitschke: Reaching employees is not actually the difficult part. The real challenge is motivating them to engage with IT security. Because we use digital systems in our everyday lives, we are exposed to cyber risks almost daily – but who wants to think about risks and threats every day? People can become somewhat fatigued by the topic. It only becomes interesting when it affects them personally, and in that initial moment of shock they often don’t know how to respond. They haven’t learned how to deal with it and haven’t taken an interest before because it didn’t seem relevant.
Motivation to engage with IT security and to develop a certain level of awareness must also come from management. People sometimes need a little push in the right direction. While common sense and a healthy scepticism help in many situations, they are not always enough to handle a situation professionally. Organisations need to establish a culture of IT security – one that is demanded and supported from the top, where KPIs are reviewed and clear goals are set and consistently pursued. Only then does the necessity become clearer, and employees become more confident in dealing with unexpected cyber incidents. However, this is a long-term process that is constantly evolving and must be kept alive through various measures.
Robert Lohmann: Meanwhile traditional IT security training is often perceived as a tick-box exercise. What has your experience been?
Susanne Nitschke: There was a directive from the university president stating that the basic training is mandatory for all employees and must be repeated every two years. However, the level of compliance depends heavily on how rigorously it is monitored. Without professional tracking tools and strong support from departmental managers (although some areas set a very good example), participation remains relatively low.
I would like our training to be seen not as an annoying obligation, but as guidance for safe behaviour. Occupational health and safety is firmly embedded in the organisation, and participation in training in that area is strongly enforced. IT security – which in my view, is also part of workplace safety since we use information technology daily – has not yet reached that status.
My goal is to create engaging and informative training and to try out new formats. I prefer fostering voluntary interest in the topic rather than relying solely on obligation. Through built-in feedback mechanisms, gamification elements, quizzes, and videos in online courses, as well as appealing design – such as in Cyber Crime Time – and through annual security events, I aim to engage employees in dialogue, reach those who are still uninterested, and continuously improve the training. One positive side effect is that the organisation’s learning management system becomes more familiar to employees over time.
Robert Lohmann: What is then for you crucial in order for cybersecurity awareness to truly take hold in everyday work?
Susanne Nitschke: I really believe you either have awareness or you don’t. This attentiveness is important not only at work but also in everyday life. I believe that anyone who has personally experienced financial or data theft becomes more sensitive to the issue and understands its importance in the workplace.
The key factor is personal relevance for both the individual and their specific role. If training addresses employees directly in their own work context and highlights relevant pitfalls, it increases awareness because it feels personally relatable.
At the university, I initially structured online training by target groups: students, employees who are not primarily desk-based, employees who work daily with sensitive data, those seeking to build foundational knowledge, and IT administrators. However, there is still room for improvement in tailoring content more specifically to each work context. The more individual and relevant the training, the better it is received and the more effectively it raises awareness.
Robert Lohmann: You also use more gamified training formats, correct? What prompted this approach?
Susanne Nitschke: Even if you are convinced that you have developed or purchased a good training programme, you still need to convince your target audience. Posters, flyers, and newsletters can raise awareness of the training, but gamification motivates participants to complete it – at least those who respond to this type of stimulus.
People react differently to different incentives, so not every game mechanic works equally well for everyone. There are different player types and personalities: some enjoy forums, some want to be creative, and others are motivated by competition. I have tried to incorporate elements from all these areas into the basic training to positively influence motivation.
The reactions have ranged from surprise to outright rejection of certain elements. But I am pleased that it sparks any reaction at all—because that means people are engaging with it. Cyber Crime Time has been consistently well received by both employees and students. Thanks to the built-in feedback function, participants can share their opinions. So far, there has been no negative feedback, which is very encouraging and shows that the training has been a worthwhile investment.
Robert Lohmann: And although your project is still in its implementation phase, what initial insights have you gained?
Susanne Nitschke: The start was somewhat slow, but looking at participation numbers today and reading the feedback, I am quite satisfied. Of course, such initiatives still need strong promotion through newsletters, posters, flyers, and social media.
Thanks to the appealing design, the storyline – where participants take on the role of a hacker – and the short but engaging learning units, I believe the project will continue to gain visibility through word of mouth. Since the campaign consists of different modules that are regularly updated, and the story of the main character “X.O1” unfolds over several parts, it remains dynamic. People keep returning to the learning platform to check for new content or to follow the next chapter of the story.
Robert Lohmann: What should other organisations perhaps consider when building an awareness programme?
Susanne Nitschke: An awareness programme should not be about pointing fingers or delivering top-down instruction. Instead, it should continuously reinforce the importance of the topic through small insights that gradually become embedded in people’s minds.
An awareness programme is not just an online training course – it consists of many components working together and engaging different senses. Communication about the topic and sharing personal experiences are also important elements that foster understanding. We are all working towards the same goal – not wasting each other’s time.
Not every format suits every person, but a variety of activities increases the likelihood that something will resonate. An awareness programme should also include realistic attack simulations. This is why, alongside Cyber Crime Time, additional workshops and events are planned for this year.
Ultimately, everyone is pursuing the same objective: greater security when it comes to handling digital systems.
Robert Lohmann: How do you ensure the topic remains visible in the long term?
Susanne Nitschke: I regularly plan new initiatives myself to draw attention to information security. One example is an augmented-reality campaign where users can display the character “X.O1” in their environment. The character then directs them to the current online course. It’s a completely different way of raising awareness, and I hope people will scan the QR code rather than avoiding it out of fear of "quishing" (QR code-fishing).
At the same time, this also provides an opportunity to raise awareness about QR code phishing and its associated risks. April was chosen as the launch period because the new semester begins, allowing us to reach students as well. After all, the university depends on its students, and in partnership with Scheer IMC we have found a good approach to offer training specifically to this audience. Students, as well as university staff, are a crucial factor in information security.
In my view, long-term visibility can only be achieved through continuous communication with all stakeholders.
Robert Lohmann: What would be your final takeaway on the topic?
Susanne Nitschke: Put simply, that cybersecurity awareness training does not run itself. It requires continuous impulses, relevant content, and formats that truly engage people. Cybercriminals constantly find new ways to exploit vulnerabilities, but the better prepared people are for these attack techniques, the better equipped they are to respond appropriately and the more secure our infrastructure becomes against cyberattacks.
Raising Cybersecurity Awareness
Cybersecurity starts with your employees. Discover why the right employee training is your best defence against cyber threats.
Greater IT Security Through Targeted Employee Training
One way to raise awareness of the dangers of cyber attacks is through awareness training. Find out more about the award-winning cybersecurity training from Scheer IMC.
