The Four Pillars of Cyber Security Awareness

The four pillars of cybersecurity awareness

The Four Pillars of Cyber Security Awareness


95 percent of successful online attacks against organizations require either unwitting or purposeful participation by that organization’s employees (most of the time they are unwitting / unwilling participants in something they don’t even know is happening). 

This article outlines what needs to be done to secure employee behavior. In addition, it lays out the four (4) pillars of success criteria for such a plan. After all, if we cannot measure a program’s effectiveness, how do we know if it works?

The four pillars of cybersecurity awareness

Awareness is NOT (only) training

Many companies think of cybersecurity awareness measures as providing IT security training. However, this is not entirely accurate. As long as 25 years ago, NIST stated the following principle, which still holds true today: 

"Awareness is not only training. The purpose of awareness presentations is simply to draw attention to security."

Thus, it is about fundamentally secure behavior by all employees of an organization! 

So how is Cybersecurity Awareness put into practice? Based on a combination of hundreds of awareness projects at ThriveDX along with data analysis from a global study, we were able to derive the best practices in cybersecurity awareness. Sustainable employee responsiveness and the increasingly secure  behavior of employees in dealing with the Internet and e-mail is best achieved with the help of:


  1. Attack simulations
  2. IT security training
  3. A ‘phishing report button’ and with
  4. Infrastructure assessments of the workplace computer

Attack Simulations

Such simulations, often also called phishing, smishing and vishing attacks, are the most effective way of raising awareness of cyber risks. The great advantage of such simulation campaigns is their realistic nature. However, care should be taken that for example, emails of  a phishing simulation are adapted to the context of the organization and are also written in the “company’s language”. Some simple phishing or smishing scenario à la ‘We give you a tablet for free’ is not paid attention to by most employees nowadays. On the other hand, phishing attempts should always remain recognizable as such. We have discovered that sophisticated phishing campaigns ensnaring many employees may have “teachable moments” but otherwise run the risk of being too clever by half and generally counterproductive.

IT Security Training

Even if IT security training presents fewer “real life” situations and is therefore   less effective, the value of this training module in the market is undisputed. It builds and strengthens the theoretical knowledge of employees. Training diplomas serve as proof of training and can also be used for individual learning assessments. This is particularly useful in the GDPR legal space, where attack simulations are often conducted anonymously, implicating no one individual. Because victims are not disclosed,  no conclusions can be drawn about the individual.

The 'Phishing Report Button

So-called phish buttons are a simple but incredibly effective IT security tool. In essence they provide employees with an efficient “one push” button to report suspicious emails. . These are subsequently analyzed by the Infosec Team and the employee receives a response on the criticality of the reported message. This encourages individual engagement, activating the ‘human firewall’. The IT department benefits from qualified reports of suspicious mails while weaker employees gain much more security in their daily work. It is important that the employee receives a response to his messages. If this does not happen, then the commitment and dedication of the employees slackens.

Infrastructure Assessments of Work Computers

Cybersecurity awareness is not only about the person, but also about his or her workplace computer. If you want to get a 360° view on employee awareness and security, malware simulations, mail filter and web filter tests on the employee’s computer make sense. A malware simulation answers the system administrator’s questions like ‘how far could a ransomware attack get  on the possibly infected computer and in the company network’. In this way, vulnerabilities can be detected and closed/mitigated. The mail and web filter test answers the admin’s question ‘Which email attachments get through the company’s security filters?’ Here too, risk exposures can be better identified. On the basis of these findings, it is also possible to carry out file-based phishing simulations with the same file extensions in order to reduce the risk by target training the staff.

Status of the Implementation of Cybersecurity Awareness Measures in Practice

In a wide-ranging study, around 1900 specialists were surveyed on the use of awareness measures in 2022. It  reveals that attack simulations – especially phishing simulations –  have caught up with awareness training. Phishing incident buttons were used by less than half of the respondents and the use of infrastructure assessments is not readily apparent.

In conclusion, if you want to conduct holistic cybersecurity awareness, you have to rely on the 4 pillars attack simulations, IT security trainings, phishing button and infrastructure assessments!


At ThriveDX, we help you re-skill employees to add those saved expenses back to your bottom line. If you’re interested in learning more about how ThriveDX solutions can be customized for your business, we’d be happy to discuss in further detail.

Best Security Awareness Training for Employees: E-Learning Guide

Palo Stacho has been an entrepreneur, public speaker and thought leader in the IT industry. He holds a Swiss Federal Diploma in Computer Science and a postgraduate degree in Corporate Governance from the HSG. After spending several years working in cybersecurity, Palo joined Lucy Security as a Co-Founder to help build the company in 2015. As a project manager and solution consultant, Palo has experience from dozens of cybersecurity awareness projects, be it at Lufthansa, Bosch, Mobiliar Insurance, OMV, Swisscom and more. In 2022, Lucy Security was acquired by ThriveDX’s Enterprise Division and has remained on as an Advisor to the company. 

Protect Your Organization from Phishing


Explore More Resources

Those aspiring to a career in the cybersecurity industry often find themselves faced with
GitLab Inc. Increases Security Awareness for Development Teams Through New Partnership with Kontra's Cutting-Edge
Online, self-paced learning offers a dynamic and flexible approach to redefine how individuals can
Explore our CEO's perspective on overcoming cybersecurity's human factor challenges: bridging the talent and

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content