The cyber threat landscape remains challenging. The majority of attacks still begin with social engineering or phishing. At it-sa Expo&Congress 2025, it was emphasised once again that security extends well beyond technology. It begins with human behaviour. Modern phishing campaigns are highly convincing, AI-driven and designed to exploit human vulnerabilities. Therefore, the decisive factor is not only which tools organisations deploy, but also how well their employees are prepared for real-world attacks.
How well are employees really prepared?
Today's phishing attacks are highly personalized and deceptively authentic; attackers precisely mimic language, design and familiar workflows. AI-driven techniques further increase the pressure, as employees must react correctly at the critical moment. So, how well are they truly prepared?
In reality, people tend to overestimate their abilities, and even experienced employees can fall victim to social engineering. Effective preparation therefore requires more than just knowledge. It needs realistic exercises, actionable feedback and continuous training. These elements make the difference:
- Trust, high stress levels and time pressure are the biggest entry points for attackers.
- Even experienced employees can be tricked by social engineering.
- Realistic phishing simulations can highlight vulnerabilities.
- Real-time feedback improves the ability to identify attacks.
Let this it-sa Expo & Congress 2025 insight inspire you:
Which awareness measures have a lasting impact?
One-off training sessions and policies are not enough. Sustainable awareness is built through continuous, practical learning impulses delivered precisely where risks arise, such as in emails, Teams or the browser. Micro-learning, situational exercises and regular reminders reinforce knowledge, while leaders promote the right security culture by setting a good example. These elements consistently make a difference:
- Provide learning resources directly where risks arise, such as in emails, Teams or browsers.
- Regular reminders strengthen knowledge retention.
- Leaders promote secure behaviour by setting an example.
Discover valuable insights and practical examples in these it-sa Expo & Congress 2025 sessions:
- KnowBe4 | From Regulation to Resilience: Integrating Human Risk Management into Compliance (German)
- SoSafe | Security awareness pays off: resilience as protection against business failures (German)
How frequently should awareness training take place?
Behaviour change doesn’t happen through one-off mandatory training sessions; it’s driven by regular, small learning moments. Studies show that training content is quickly forgotten without repetition. Consistency ensures that employees remain alert and confidently recognize phishing attempts over time. These insights can help to inform your approach:
- The 'little and often' approach: short, regular training sessions are more effective than annual mandatory courses.
- Learning curves demonstrate a significant decline in retention after just a few weeks.
- Continuous training measurably reduces click rates.
Deepen your expertise with this it-sa Expo&Congress 2025 insight:
When did you last experience an attack?
Phishing now occurs across all channels. Attacks no longer only happen via email; they also affect messenger apps, cloud tools and mobile platforms. The most important thing is that employees receive support at the exact moment a decision is made. Real-time alerts and context-aware guidance reduce errors and bolster everyday security. These elements can be shown to make a measurable difference:
- Real-time security provides support when decisions are being made.
-
Context-aware warnings significantly reduce user errors.
Explore detailed insights in these it-sa Expo&Congress 2025 sessions:
Which part is culture responsible for?
Awareness isn’t created by training alone; it grows through a lived security culture. An open approach to mistakes, a culture of empowerment rather than blame, and diverse teams encourage employees to report cyberattacks rather than hide them. Only then does human risk become truly manageable. These two principles can make a significant difference:
- A healthy error culture means taking responsibility, not being negligent.
- Diverse teams improve the quality of learning and increase the willingness to report.
Discover valuable insights in this it-sa Expo&Congress 2025 session:
In which ways can technology support people?
Technology can offset human errors, but only when used purposefully. Security measures such as multi-factor authentication (MFA), zero trust and public key infrastructure (PKI) protect identities and reduce the attack surface, ensuring that people are supported in critical situations. These two aspects are particularly important:
- MFA, Zero Trust and PKI strengthen the protection of both humans and machines.
- Reduced dependence on passwords means a smaller attack surface.
Deepen your knowledge with this it-sa Expo&Congress 2025 insight:
What does human risk management really mean?
Human Risk Management quantifies and controls human-related risks. Data-driven KPIs, such as click, report or reaction rates, help us to adjust training and policies dynamically, thereby continuously enhancing security resilience. Pay particular attention to these two aspects:
- KPIs such as click, report and reaction rates are becoming standard.
- Behavioural data is driving dynamic adjustments to training and policies.
Learn more in this session from the it-sa Expo&Congress 2025:
From Risk to Resource: People as the Key to Cyber Resilience
Employees are not the problem; with continuous, context-driven and practical training, they can become a resilient resource. Technology complements behaviour, and together they form the human firewall. Remember these points:
- Without training, people are a risk; with it, they are a resilient resource.
- Awareness only works when it is continuous, practical and context-specific.
- Technology and behaviour complement each other; without one, the other is incomplete.
Human risk management is not a one-off project, but an ongoing process of developing the most important security control of all: people.
Additional ressources
