A Study of Different Awareness Campaigns in a Company

TL;DR

This paper evaluates different awareness campaigns in a company to determine their effectiveness in reducing phishing susceptibility, highlighting that pleasant campaigns lead to better performance and emphasizing the importance of measurable success indicators.

Contribution

It provides a case study on implementing and validating awareness training methods in SMEs, introducing key performance indicators for assessing effectiveness.

Findings

Pleasant campaigns improve phishing simulation performance.

Significant differences observed between target groups.

Awareness training with KPIs offers a measurable success framework.

Abstract

Phishing is a major cyber threat to organizations that can cause financial and reputational damage, threatening their existence. The technical measures against phishing should be complemented by awareness training for employees. However, there is little validation of awareness measures. Consequently, organizations have an additional burden when integrating awareness training, as there is no consensus on which method brings the best success. This paper examines how awareness concepts can be successfully implemented and validated. For this purpose, various factors, such as requirements and possible combinations of methods, are taken into account in our case study at a small- and medium-sized enterprise (SME). To measure success, phishing exercises are conducted. The study suggests that pleasant campaigns result in better performance in the simulated phishing exercise. In addition, significant improvements and differences in the target groups could be observed. The implementation of awareness training with integrated key performance indicators can be used as a basis for other organizations.