How to Run a Security Awareness Campaign (Not Just a Training Module)

April 2, 2026

Most organisations meet their security awareness obligation by assigning a training module once a year, tracking completion rates, and filing the report. Completion rates improve after a reminder email, the module is done by the end of the quarter, and the programme is considered active. Twelve months later, the cycle repeats. This approach satisfies a compliance checkbox. It does not produce lasting behavioural change, because that is not how behavioural change works.

Security awareness campaigns work differently. A campaign is a sustained, planned sequence of activities -- simulations, nudges, short communications, live events, check-ins -- that keeps security visible to staff and reinforces specific behaviours over an extended period. The research on behaviour change is unambiguous on this point: repeated, spaced exposure to a message produces more durable change than a single intensive intervention. An awareness module is a single intervention. A campaign is a system designed to produce a different outcome.

The Architecture of an Effective Campaign

An effective security awareness campaign has a few structural elements that distinguish it from a one-off training activity. It has a theme or focus that is sustained across the campaign period -- for example, phishing awareness, or password and authentication security -- rather than attempting to cover all security topics simultaneously. It uses multiple channels and formats rather than relying on a single e-learning module. It is timed to align with real events in the organisation's calendar, not just compliance deadlines. And it has defined metrics that go beyond completion rate.

A 12-week phishing awareness campaign, for example, might include: a kick-off communication explaining what the campaign is and why it is happening; a short module on recognising phishing indicators; a phishing simulation in week two; a follow-up communication to all staff with aggregate results (not individual naming); a second simulation in week six with a more sophisticated scenario; a short video or live session from a practitioner explaining how they see attackers operating; a third simulation in week ten; and a summary communication sharing what the campaign achieved. That sequence takes more effort to design and run than a single module, but it produces outcomes a single module cannot.

Choosing Themes That Match Your Actual Risk Profile

Campaign themes should be chosen based on where your organisation's actual exposure lies, not on what is easiest to deliver or what the latest industry report is focused on. An organisation that has recently moved to hybrid work has different priority topics than one that has just completed a merger and has a new set of contractors with system access. Councils and community organisations face different social engineering profiles than technology firms. The theme of your campaign should reflect the specific context your staff are operating in.

Some campaign themes that we see working well for Australian mid-market organisations include:

  • Phishing and smishing: recognising and reporting attempted attacks across email and mobile
  • Business email compromise: understanding how payment fraud works and how to verify requests
  • Password and authentication: moving to a password manager and understanding why MFA matters
  • Data handling: what to do with sensitive information and what counts as sensitive in your context
  • Remote and hybrid work: home network risk, device use, and shadow IT

Communications That Work and Ones That Do Not

Campaign communications that work are specific, short, and grounded in real scenarios. A one-paragraph email that describes a recent attack technique and what staff should do if they encounter it is more effective than a five-page security newsletter that most people will not read. Visuals that show what a phishing email or smishing message looks like are more useful than abstract descriptions. Content that explains the why behind a security practice lands better than content that just states the rule.

Communications that do not work include anything that is generic enough to apply to any organisation, anything that feels like it was written by a compliance team rather than a practitioner, and anything that treats staff as a problem to be managed rather than as people the organisation is trying to equip. The tone of a campaign matters. Security communications that are condescending, alarmist, or bureaucratic will be ignored. Communications that are direct, useful, and respectful of people's time will not.

Measuring a Campaign Against Behaviour, Not Completion

The metrics for a campaign should map to the behaviour you are trying to change. If the campaign is focused on phishing awareness, the primary metric is the combination of click rate and report rate across the simulation sequence -- not whether staff completed the associated module. A programme where click rates trend downward and report rates trend upward over the course of the campaign is working. A programme where 100% of staff complete the module but report rates stay flat is producing records, not outcomes.

Secondary metrics might include: the number of genuine phishing attempts reported to the security team during the campaign period; the average time between a phishing simulation landing and the first report being made; and qualitative feedback from staff about whether the campaign helped them understand something they were previously unsure about. Together, these give a richer picture of what the campaign achieved than a completion rate ever could.

We design and deliver security awareness campaigns for organisations that want to move beyond the annual compliance module. If you are ready to run something that produces actual behaviour change, get in touch at info@cyberlinx.com.au.

Table of Contents
Resource Type
Guides
Category
Offensive Security
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?