What is security awareness?
Security awareness is the knowledge, judgement and behaviour of staff toward cyber threats: recognising phishing, handling passwords and data correctly, and knowing when and how to react. It is the human side of cybersecurity, the side technology alone doesn't protect.
The definition
Security awareness is not software and not a firewall. It is the ability of the people in a company to recognise fraud attempts and respond correctly. An employee with good security awareness pauses when an email asks for a password, calls back on a known number when "the CEO" requests a transfer by phone, and speaks up when something seems off.
The opposite isn't stupidity, just lack of training. Well-meaning staff who have never seen what phishing looks like click on it, not out of carelessness but because it looked normal.
Why it matters
The vast majority of cyber attacks start with people, not technology. Phishing, phone scams, CEO fraud and AI voice cloning all target the employee, because tricking a person is cheaper and more effective than breaking through technical defences. A company can have perfect technical controls and still lose millions to a single phone call, if the employee who answered had never heard of the scam.
That's why staff training isn't an add-on to cybersecurity but the core of it. The EU's NIS2 directive lists it explicitly as a mandatory security measure.
What security awareness covers
Awareness training covers what staff actually meet in a real working day:
- Phishing and fake login pages
- Strong passwords, password managers and multi-factor authentication
- Phone scams (vishing), CEO fraud and AI voice cloning
- Data handling, sharing links and shadow IT
- Safe use of AI at work
- USB drives, public Wi-Fi and security outside the office
- Recognising an incident and reporting it immediately
How to train it so it actually works
Research on security awareness points consistently in one direction: short, repeated training beats long annual courses by a wide margin, because the brain remembers what it sees often. An annual one-hour course satisfies a requirement on paper but is forgotten within weeks.
Four things separate training that works from a formality: it is short (a few minutes at a time), regular (monthly rather than yearly), in the staff's native language with examples they recognise from their own environment, and measured, so managers can see who completed it and how it's going.
How the results are measured
The most common metrics are completion rate, quiz results and their trend over time, and at many companies phishing simulations that measure how many click a test email before and after training. The documentation matters in itself: for NIS2, auditors, insurers and customers you need to prove who was trained and when.
Frequently asked questions
- What is security awareness?
- Security awareness is the knowledge and behaviour of staff toward cyber threats: recognising phishing and scams, handling passwords and data correctly, and knowing how to react. It is the human side of cybersecurity.
- Why does security awareness matter?
- The vast majority of cyber attacks target people, not technology. Phishing, phone scams and CEO fraud bypass technical defences by tricking an employee. Trained staff are the defence that catches those attacks.
- What is the best way to train security awareness?
- Short, regular training works best: a few minutes at a time, monthly, in the staff's native language with realistic examples. Long annual courses are forgotten within weeks.
- Is security-awareness training mandatory under NIS2?
- Yes, for companies covered by the directive. Article 21 of NIS2 lists cybersecurity training for staff among the mandatory risk-management measures, and under Article 20 management itself undergoes training.
This is what working awareness training looks like
Varhugi trains security awareness with five-minute monthly modules, in Icelandic, with examples from the Icelandic workplace. Certificates and reports are automatic.

