# Security awareness training

**What is security awareness training?**

Security awareness training is a short, regularly repeated briefing for staff that makes common attacks on people recognisable, such as forged invoices, calls purporting to come from the managing director, and cloned login pages. It also establishes where a suspicion is reported.

Attacks regularly aim at people. An email that looks like an invoice from a familiar supplier. A telephone call supposedly from the managing director demanding an urgent transfer. A message from the alleged IT department asking for a password. Technical filters catch a share of this. The final decision rests with the person at the screen, and that is exactly where awareness training does its work.

Effective training is short, repeated, and built on examples from your own working day. Show real emails that arrived in the business, together with the features that give them away: the sender address that reads differently on second glance, the manufactured time pressure, the changed bank account number on a familiar invoice, the destination of a link that appears when the mouse hovers over it. Work with concrete cases from your own trade, because your staff will recognise them again in daily work.

The most important sentence in any training session is this: reporting is welcome, and whoever reports gets no trouble for it. An employee who fears being reprimanded for a click reports the incident hours later, and those hours decide the extent of the damage. So define one simple reporting route, an address or a telephone number, display it where everyone sees it, and state what happens once a report comes in.

Phishing simulations, meaning test emails sent to your own staff, are a useful exercise under certain conditions. Announce the exercise programme in advance, evaluate the results anonymously, involve any staff representation, and refrain from assessments of named individuals. The purpose of the exercise is a greater willingness to report.

The NIS2 Directive lists cyber hygiene and training expressly in its catalogue of risk management measures and obliges the management bodies of covered entities to attend training themselves. In Austria the NISG 2026 implements these requirements. For businesses outside its scope, training remains a measure of modest cost and immediate effect. Whether a known reporting route exists and how suspicious emails are handled are among the organisational points recorded by the IT-Check.

## Related terms
- [Phishing](https://vetosec.at/en/it-security/phishing/)
- [Social engineering](https://vetosec.at/en/it-security/social-engineering/)
- [CEO fraud and invoice fraud](https://vetosec.at/en/it-security/ceo-fraud/)
- [Two-factor authentication (2FA)](https://vetosec.at/en/it-security/zwei-faktor-authentifizierung/)

## Source
https://vetosec.at/en/it-security/awareness-schulung/ (vetosec, schutz)
