Guest Post | Security Awareness That Works with the Help of OSINT Tools.

Phishing simulations often ripple through daily business life almost unnoticed. However, as soon as we conducted a hands-on workshop, the picture changed completely. The exercises were discussed and generated a level of attention that persisted long after the session ended.

“I've got my privacy settings under control.”

Many of us lull ourselves into a false sense of security. Statements such as 'I don't need a password manager; I can remember all my passwords', 'I have an unbeatable password system where I just change the number at the end', and 'I have nothing to hide; it doesn't matter if others know my address' are commonplace in the world of security.

This behaviour is not the exception, but the rule, and it is entirely human. Employees have the goal of getting their work done, and security often feels like an additional task that complicates everything. Having to enter extra codes, log back in constantly, and come up with complex passwords uses up mental energy that is often lacking in a busy workday. It doesn't feel efficient, which is why we naturally seek simpler solutions.

A Challenge for Security Officers

This presents a major challenge for security officers. On one hand, they do not want to burden employees with additional measures; on the other, they are responsible for securing the company. Consequently, they often keep awareness measures 'small'. Just so that something has been done. At the end of the day, they can at least check a box. However, this approach causes the learning effect to bypass the workforce entirely.

Awareness Needs to Be Bolder

For measures to be noticed, they must command more attention. This involves communication strategies that should be utilized across all available channels. Furthermore, it is a team effort. This means that support from corporate leadership is absolutely essential. With this backing, bolder approaches can be taken.

OSINT workshops: When the “aha” moment becomes visible

This is exactly where OSINT workshops come in. OSINT (Open Source Intelligence) refers to the collection and analysis of publicly available information. In these practical workshops, participants learn to work with the same tools that attackers use.

When employees conduct their own research and discover step by step what information about them or test subjects is publicly available, they experience an immediate “aha” moment. Suddenly, abstract security risks become tangible. Their own address, phone number, photos from their last vacation, professional connections, and even password hints from old forum posts come together to form a picture that fraudsters can exploit.

This personal involvement makes all the difference. Unlike theoretical training courses or phishing simulations, participants experience firsthand how easy it is to track digital traces. They understand not only intellectually but also emotionally why data protection and information security are important. And it is precisely this emotional component that ensures that what they have learned sticks and leads to actual behavioral changes.

Conclusion: Awareness Requires Experience, Not Just Information

Effective security awareness is not achieved through lecturing, but through experience. When employees take on the role of 'attackers' and discover their own vulnerabilities, they learn in a way that is impossible to achieve through presentations alone. Investing in such practical formats is worthwhile. Employees develop a heightened sense of security awareness and suddenly understand the true purpose of security measures.