Humans as a weak point are a recurring theme in IT security. Lack of awareness, lack of information and human error cannot simply be resolved with an update.
Preparing the relevant information efficiently and in a way that everyone can understand is not as easy as one might think at first glance. Not all employees have a technical affinity, what they hear cannot always be independently applied to practice, and old habits are notoriously stubborn.
4 + 1 tip to create and improve cyber security awareness
1. Address the right target group(s)
Sometimes the (too) technically prepared information simply does not fit the level of knowledge and information of the addressees. Content is too long and complex–or too mundane and boring. Always keep your target group in mind when creating the information!
Also, avoid fancy technical terms and stick to understandable everyday language. It must be easy for the audience to understand why various precautions are important and what exactly you are expecting of them in practice. An appealing presentation or witty design can also help to attract attention and be remembered.
2. Practical information about risks and threats
Stimulate the curiosity of your colleagues so that they want to deal with the topic out of self-interest, because this is how you achieve the best learning effect! Point out why the new knowledge is worthwhile and what benefits it brings personally – for example, to inform and protect their own family.
Explain in an understandable way about known and new risks and their effects. Make a direct reference to everyday (working) life and give concrete tips and guidelines for the desired reaction and course of action. Organise the information in short, clear modules with the optional possibility to go into more depth. You can also establish a good reference to everyday life with videos or podcasts. 
3. Create open communication and space for questions.
Create an open communication atmosphere with the saying “There are no stupid questions” in mind. Especially people who have only very superficial contact with IT are quickly overwhelmed with information that experienced users already take for granted.
The possibility to ask simple, basic questions about all areas without losing face encourages employees to approach the complex topic. At the same time, the questions and feedback give you indications of where there is still potential for explanation or improvement from the user’s point of view.
4. IT security is an ongoing process
Building and training IT security awareness is a continuous process that requires firm anchoring in the company. Content can alternate and take different forms. Important core topics should be repeated. Regular information packed into small “bites” is more effective than less frequent but comprehensive mailings. Also, use freely available resources and share suitable security tips from others – this makes the presentation more varied and shows that the topic of cyber security has general relevance.
Variety also comes from interactive methods and tests that give you additional feedback on possible strengths and weaknesses. These can vary across departments and scenarios to assess effectiveness. A simple starting option is, for example, the simulation of phishing emails. Besides, external specialists can help to conduct appropriate testing, awareness campaigns and individual training. 
Extra tip: Make sure you set an example!
The IT department and the management play a key role in the implementation of all security measures. Never underestimate the indirect communication of priorities in everyday life, which you and your colleagues convey and exemplify to other employees through your daily actions!
You might also be interested in this: