Awareness 2.0: The 5-level Journey to the Human Firewall

The reality is that despite regular sensitization and growing security awareness among employees, companies continue to be targeted by sophisticated cyber attacks on a daily basis. This is why an approach is needed that focuses on people - because only with human-centered security can cyber protection be truly effective and sustainable.

Figure 1: Spearphishing links and phishing are among the ten most common gateways.

Even trained teams remain vulnerable! The attack on Radix in Zurich in June 2025 demonstrated this in a terrifying way: Trained employees were specifically targeted and the "human firewall" was breached using cunning methods. Sensitive data, including from federal administrations, fell into the hands of the attackers during this attack and later reappeared on the darknet.

This incident illustrates how great the danger is, especially for critical infrastructures and their suppliers in Switzerland. It shows that knowledge alone is not enough. A strong human firewall can only be created through a systematic, active change in behavior.

In the race between attack and defense, spearphishing links and phishing are the undisputed leaders among the most important attack vectors, as current evaluations by our incident response team show.

Regulatory pressure on those responsible for security in companies is adding to the challenges. This is because the EU is continuously tightening cyber security requirements. The Swiss government has also recognized that human factors in IT security need to be regulated more strictly by law. Further regulations are therefore foreseeable. Companies that act now therefore have a clear advantage.

If you want to protect an organization against cyber threats in the long term, you have to go beyond mere knowledge, just as you do with your own health. Just as theoretical knowledge about nutrition and exercise does not automatically make you fit, it is not enough to simply be informed about potential cyber threats when it comes to security awareness.

It is crucial for the security of a company to regularly practice the correct behavior to protect against cyber attacks through spear phishing, phishing and social engineering and to actively and permanently anchor it in everyday life.

Security awareness: 5 levels for a strong human firewall

On the way to a strong security culture, every organization goes through five different stages of development. It is necessary to recognize that not only companies as a unit, but also teams and individual employees within the company need to be addressed at different levels of maturity.

Our Security Awareness Journey enables companies to increase their current maturity level in a targeted manner and with the appropriate measures, tailored to the respective starting position.

Figure 2: Leveling up security culture from 0 to 100 in 5 stages.

Level 1: Getting started - inventory & concept (10 %)

Human-centered security only unfolds its full effect when the initial situation and goals are clearly defined. Many companies lack guidance on how to get started with their awareness program and where to begin. This is because it is often unclear which teams need the most urgent support.

This is exactly where the first step of the Security Awareness Journey comes in. Together with the company, we create a structured overview of existing resources, relevant target groups and potential stumbling blocks, thus laying the foundation for a targeted and effective awareness program.

Typical key questions:

• What do we need?
• Where do we currently stand?
• What is the best way to proceed?

After analyzing the initial situation, we work with the company to define the next decisive steps. On this basis, it is possible to develop a solid foundation tailored to the organization for the development of sustainable security awareness.

Level 2: Management buy-in (30 %)

Sustainable awareness and behavioral change in the security culture begins at management level. At this journey level, we check whether and to what extent the topic of awareness is anchored in management. We then develop specific measures together to involve the management level and win them over to the topic.

Typical key questions:

• Is awareness carried at C-level?
• Are there KPIs or a budget?

Top measures at "management buy-in" level:

• Management workshops
• Phishing simulations with reporting
• KPIs and report compilation

Level 3: Training & education (50%)

The aim of establishing a sustainable security culture is to bring about a lasting change in behavior. To achieve this, we rely on selected, practical training formats and, if necessary, develop individual training courses that are precisely tailored to current requirements.

Typical key questions:

• Do we have training courses for different target groups?
• Do our training courses cover all relevant risks and current threats?
• What compliance requirements do we have to meet?

Top measures at "Training & education" level:

• E-learnings
• Personal awareness shows
• Admin training

Level 4: Engagement & branding (70%)

In this phase, we use targeted measures to strengthen the positive attitude towards security and encourage active participation. This is the only way to bring awareness to life in everyday life and make it a natural part of the corporate culture.

Typical key questions:

• Is security content used voluntarily and with interest?
• How regular and varied are the communication measures?

Top measures at "Engagement & Branding" level:

• Campaigns on current topics (e.g. deepfakes, artificial intelligence)
• Awareness videos
• Gamification

Level 5: Develop a security culture (100 %)

A strong security culture goes beyond mere awareness-raising. It becomes evident when measurable successes are achieved and security is integrated into everyday life as a matter of course. It goes without saying that joint support from employees and management is key here.

Typical key questions:

• What is the current safety culture like?
• How do we measure the learning success and the actual change in behavior?
• How strongly do employees identify with the topic of safety?

Top measures at "Develop safety culture" level:

• Security culture survey
• Individual security ambassador program

Use your security advantage with InfoGuard

Effective protection against cyber threats is created when weaknesses are made visible and remedied in a targeted manner through tailored measures.

Benefit from a systematic approach to precisely determine the current level of maturity and identify the weak points in your organization. Instead of standard training courses, you will receive a customized awareness strategy that focuses on the key levers. Namely, where the most significant security gains can be achieved.

After all, cyber security is our passion and in today's threat landscape of spearphishing links, phishing and social engineering, we know this: Without practiced security awareness, any defense remains incomplete. That's why we have been doing everything we can to protect our customers from cyber threats day in, day out for over 20 years. And because security awareness cannot be a fixed state, but can be raised to an effective level step by step, analyzing your own level of maturity is a key starting point.

Whether you are just taking the first step or want to further develop your existing human firewall in a targeted manner: We are your partner for the next steps of your Security Awareness Journey.

Image caption: Image generated with AI