Newsflash: +++ Hackers Stole Over 6.42 Million SHEIN Customers' Data +++ SAP Customer British Airways hacked: Hackers steal financial data in BA website attack +++ The same hacker group who breached Ticketmasters were behind the British Airways attack, using DIGITAL SKIMMING +++

Milky Blog

know what’s going on out there about SAP®

  • Blog
  • Read Our Rules

SAP® security @agileSI - why cybersecurity awareness programms fail

By Hendrik Jansen  - November 19, 2018

Some reasons why cyber-security awareness programmes fail - and SAP® security also

What are the reasons why cyber-security programmes fail?

What can you do to effectively raise your companies cyber-security awareness?

Governments and commercial organizations around the globe make extensive use of Information and Communications Technologies (ICT). The ICT arena, that landscape is changing at an ever faster pace. And as a result, that complexity increases in an ever- increasing rate. COMPLEXITY has a direct effect on SECURITY. You can read all about that in our previous blogs such as:

In their quest to achieve an OPTIMUM SECURITY level, many organizations have deployed (or are deploying) technical security measures (let call them the security tools and products), and develop security policies (processes) that specify the ‘correct’ behaviour of "the business", the employees who need to work with IT systems, the users and managers (people). Even large organizations think they are secure enough if they have a good policy, or if the auditors have done spot checks and give them "the blessing". Job done,.... right?

No, actually individuals who think like that have completely missed the point. The whole process of compliance, auditors was to PROTECT the investors, the shareholders, and enforce "management" to take their responsibility and accountability to a next level. Unfortunately, many individuals do not comply with specified policies, so you get the expected or wanted behaviors. There are many reasons why people (employees) show unwanted behavior. The two most compelling reasons are that people are not aware of (or do not perceive) the risks or, they do not know (or fully understand) what the ‘correct’ behavior is and why that is important.


1) create awareness for employees in a manner it is INTERESTING & CURRENT & SIMPLE ENOUGH for them.

An awareness (training) program can be effective, and if the used material (the examples, are interesting if they are current and simple enough to be followed by the audience.....) you have a far better chance of the awareness sticking and having the wanted effect. Any presentation that ‘feels’ impersonal and too general, too technical for the intended audience, the topic will be treated by users as just another obligatory session. You will have lost more than security awareness, you have also lost productivity time and created user frustration.

2) Spell out the correct behavior underpinned with funny examples.

If you discuss the right behavior, or if you spell out the right behavior, make the example MEMORABLE. Humor is a great way to make people remember something. Use funny examples of wanted and unwanted behavior. And connect CAUSE and EFFECT, so that people start to understand what cybersecurity is, what each of the employees can contribute to that. It is not so hard to prepare "funny" examples

- a PC is found unlocked, and "someone" sends a mail to the department that the "user" is treating on cake.

- an email is sent in the name of the CEO to make a payment to company XYZ quickly

- sharing your password with a colleague

- sending that entire customer list to your home computer


Contact us at and we will be happy to explain what works when it comes to SAP Security for your organization.

Picture©: GettyImages-892701338-PeopleImages

Enroll and receive updates!

Popular posts

We take privacy seriously! This is what happens to your data:

  • Data from forms and website-tracking can be saved for analysis.
  • Data can be evaluated for optimizing the website. This enables us to better understand what our visitors are interested in. We primarily use Hubspot for this tracking. You can find more information on this in our privacy policy linked at the bottom.
  • We do not share your data with third parties. In the context of events in which you want to participate it might be necessary to submit your data to contractors.
  • You have the right to have your personal data corrected, deleted or transfered to you at any time.
  • You can withdraw your consent to any sort of communication with us at any time.

More details about what we do and don't do with your personal data can be found in our privacy policy, or you can directly contact me by e-mail!

Felix Möckel
Data Protection Officer