Phishing is a major cyber threat to organizations that can cause financial and reputational damage, threatening their existence. The technical measures against phishing should be complemented by awareness training for employees. However, there is little validation of awareness measures. Consequently, organizations have an additional burden when integrating awareness training, as there is no consensus on which method brings the best success. This paper examines how awareness concepts can be successfully implemented and validated. For this purpose, various factors, such as requirements and possible combinations of methods, are taken into account in our case study at a small- and medium-sized enterprise (SME). To measure success, phishing exercises are conducted. The study suggests that pleasant campaigns result in better performance in the simulated phishing exercise. In addition, significant improvements and differences in the target groups could be observed. The implementation of awareness training with integrated key performance indicators can be used as a basis for other organizations.

翻译：网络钓鱼是组织面临的主要网络威胁，可能导致财务与声誉损害，甚至危及组织存续。针对网络钓鱼的技术措施应辅以员工安全意识培训。然而，目前对安全意识措施有效性的验证十分有限。由于缺乏最佳培训方法的共识，组织在引入安全意识培训时面临额外负担。本文探讨如何成功实施并验证安全意识概念。为此，我们在某中小型企业（SME）的案例研究中纳入多种因素，如需求与方法组合的可能性。为衡量成效，我们开展了模拟钓鱼演练。研究表明，趣味性活动能提升模拟钓鱼演练中的表现。此外，研究观察到目标群体存在显著改进与差异。基于关键绩效指标（KPI）整合的安全意识培训实施方法可为其他组织提供参考。