According to BSI analyses, around 80 percent of all ransomware incidents in German mid-market companies begin with a successful phishing email to an employee — a single careless second is enough to take the entire workforce offline, encrypt backups, and trigger six-to-seven-figure follow-on costs. For management, CFOs, and IT leadership, this is immediately relevant for three reasons: first, GDPR requires regular training as a technical and organizational measure under Article 32; second, the NIS2 Directive has mandated documented and measurable awareness programs for a large portion of the mid-market since October 2024; third, the BSI recommends in its IT-Grundschutz that recurring phishing simulations are the most effective single measure against social engineering. Organizations with gaps here risk not only operational disruption but personal liability for the leadership level. This article explains what makes an effective phishing simulation program, which metrics actually matter, which vendors are relevant in the market, and what costs you should realistically expect. For context within the overall strategy, see our Cybersecurity Guide for Mid-Market Companies.
Why Phishing Training Is a Board-Level Issue
The Verizon Data Breach Investigations Report 2025 cites a number that belongs in every executive presentation: 68 percent of all investigated data breaches were attributable to the human factor — phishing, pretexting, errors in handling credentials. This figure has remained nearly constant over the past five years, even as technical defenses — email gateways, EDR, SIEM — have improved significantly. The bottleneck is no longer in technology, but in the workforce. That is an uncomfortable truth, because it shifts responsibility from the IT department to the executive leadership.
For German mid-market companies, three regulatory levers amplify the urgency. First, GDPR Article 32, which requires "measures to ensure the security of processing" — documented training shortfalls have led to penalty surcharges in several documented cases. Second, NIS2, which in the German implementing legislation explicitly names "training" as a mandatory measure and holds executive leadership personally liable when supervisory duties are breached. Third, ISO 27001 in the 2022 edition with Control A.6.3, which requires demonstrable awareness programs across the entire employee lifecycle.
On the operational side, insurance and contractual requirements add further weight. Cyber insurers today partially exclude phishing-related losses when no documented awareness program exists. Supplier audits by large industrial clients routinely include questions about the frequency and results of phishing simulations. Organizations unable to supply solid figures here lose contracts or pay substantially higher insurance premiums.
An observation from our practice: in most mid-market companies we have audited, the initial click rate in the first simulation is between 18 and 32 percent. After twelve months with a structured program — monthly waves, brief learning content after a click, a visible report button in Outlook — the same companies typically land at 4 to 8 percent. This reduction is measurable, documentable, and stands in a dramatic ratio to the effort involved. It is one of the few security measures whose effectiveness is this directly demonstrable.
What Distinguishes a Good Phishing Simulation
Not all phishing simulations are equal. The differences between an effective program and a tick-the-box exercise are substantial. Four quality criteria are decisive:
| Criterion | What counts | What doesn't count |
|---|---|---|
| Realism | Genuine brand look-alikes, industry-typical themes (delivery note, invoice, HR), regional adaptation with native-language text and sender addresses | Generic "You won a prize" emails, obvious typos, English standard templates |
| Frequency | Monthly waves, staggered by department, with increasing difficulty throughout the year | A single annual mass event where "everyone" is tested at the same time |
| Learning effect | Immediate, brief, friendly feedback after a click showing the three or four warning signs the employee missed | Long training modules, tests with pass marks, anonymous lists showing click rates |
| KPI depth | Click rate, report rate, repeat-offender rate, response time, manager engagement — segmented by department and risk profile | A single overall click rate with no context or comparative figures |
A central point: the simulation must never be perceived as a trap, but as training. If employees feel that a click will lead to consequences in their personnel file, willingness to report real incidents drops immediately. This is measurable and is one of the most common mistakes in unprofessionally implemented programs. A good simulation is transparently communicated — employees know the program exists, but do not know exactly when the next wave will come. This precise combination produces realistic behavioral data without damaging trust.
Also important is embedding the program in company culture. Programs launched top-down without informing the works council or coordinating with HR fail due to lack of acceptance. Successful programs have a works council resolution, a communicated data protection impact assessment, an explicit no-blame policy, and a visible executive sponsor.
Request a free awareness consultation
Considering introducing phishing simulations or professionalizing your existing program? We offer a free 30-minute initial consultation — we assess your current awareness maturity, suggest a suitable vendor mix, and provide a realistic cost framework.
Request a free awareness consultationKPIs That Actually Mean Something
The choice of metrics determines whether an awareness program is actively managed or merely documented. Measuring only the click rate means optimizing for the wrong target — a program with a declining click rate can simultaneously undermine willingness to report, which is catastrophic in a real incident. The following five KPIs together provide a reliable picture:
- Click rate over timeThe share of employees who click the test link in a simulation wave. The trend matters more than any single figure — declining click rates across multiple quarters are a clear effectiveness signal. Target after 12 months of the program: below 8 percent.
- Report rateThe share of employees who actively report suspicious emails via the report button. This is the most important positive metric because it measures engagement rather than mere avoidance. Target after 12 months: above 30 percent, in mature programs 50 to 70 percent.
- Repeat-offender rateThe share of employees who clicked two or more times within 12 months. This group needs targeted one-on-one coaching, not further mass simulations. A repeat rate above 10 percent indicates that the learning-effect concept needs to be revised.
- Time-to-reportAverage time between delivery of a suspicious email and the first report by an employee. A declining time-to-report below 15 minutes is a strong signal that the workforce is responding routinely. This figure is critical in a real incident.
- Manager engagementThe share of managers and department heads who actively discuss their team's results with employees. Programs in which managers only passively consume reports do not reach the workforce. Manager engagement is the strongest predictor of sustained learning success.
These five KPIs belong in every quarterly report to executive leadership. Those who analyze them segmented by department, location, and function identify the real risk clusters — typically accounting, procurement, and HR, because these teams handle large volumes of emails with attachments and external senders.
Vendor Landscape
The market for awareness platforms has grown strongly since 2020 and is now well-suited to mid-market companies. The following overview categorizes the most important vendors into three groups — it is intentionally framed as guidance rather than a detailed comparison, because selection depends heavily on language, industry, and integration requirements.
Market leaders with broad feature sets. Suitable for companies with several hundred to thousands of employees and high compliance requirements.
- KnowBe4 — largest vendor globally, very broad template library, extensive reporting functions, German content available
- Proofpoint Security Awareness — closely integrated with the Proofpoint email security platform, well suited for existing Proofpoint customers
- Mimecast Awareness — a logical choice with existing Mimecast email security in place, integrated risk scoring per employee
European specialists with a focus on DACH and the EU. Suitable when data protection hosting within the EU, German content, and GDPR compliance are priorities.
- SoSafe — Cologne-based vendor, fully German content, strong focus on gamified learning, DACH market leader
- Hoxhunt — Finnish vendor with an adaptive learning algorithm that automatically adjusts difficulty per employee
Managed-service models and smaller specialist vendors. Suitable for companies without in-house IT security capacity who want to fully outsource the program.
- IT-Seal — German vendor with a strong penetration testing background, often in the managed-service model
- G Data Security Awareness — Bochum-based vendor, a sensible choice with an existing G Data endpoint landscape
From our consulting practice: for German mid-market companies with fewer than 500 employees, SoSafe and Hoxhunt are the most frequent recommendations because they combine German content, GDPR-compliant data processing within the EU, and a manageable price. KnowBe4 pays off in larger structures with multi-language requirements. Selection should always be preceded by a two-to-four-week trial with real employees — content quality varies considerably by language and industry.
What Does an Awareness Program Cost?
The cost of an awareness program depends on three variables: number of employees, in-house versus managed-service model, and depth of reporting and compliance features. The table below shows typical ranges for mid-market companies — it is intended as guidance; precise quotes require a brief scoping workshop.
| Program variant | Per employee / year | One-time setup costs | Internal staffing effort |
|---|---|---|---|
| Entry-level platform, self-operated (50–200 employees) | €15–25 | €2,500–5,000 | 10–15% of one position |
| Standard program, self-operated (200–1,000 employees) | €25–40 | €5,000–10,000 | 20–30% of one position |
| Premium platform with compliance module (500–2,000 employees) | €35–60 | €8,000–15,000 | 30–50% of one position |
| Managed service via external provider | €40–80 | €3,000–8,000 | 5–10% of one position |
The return-on-investment calculation is positive in almost all cases. A mid-market company with 300 employees pays roughly €7,500 to €12,000 per year for a solid standard program. Set against that are damage scenarios from real incidents: according to Bitkom reports, a successful phishing attack with ransomware consequences costs German mid-market companies between €150,000 and €1.2 million per incident — factoring in business interruption, recovery effort, and supply chain impacts.
The decision between in-house operation and a managed service is primarily a question of capacity, not cost. In-house operation is cheaper but consistently requires someone to plan monthly waves, analyze reports, and stay aligned with HR and the works council. Organizations unable to provide this capacity typically fare better with a managed-service model — the slightly higher license costs are more than offset by lower internal effort.
Compliance Mapping: GDPR, NIS2, ISO 27001
Awareness programs address several regulatory requirements simultaneously. The mapping below shows the most important alignments — it does not replace a full compliance analysis, but helps when making the case to supervisory authorities, insurers, and supplier auditors.
| Program component | GDPR Article 32 | NIS2 Article 21 | ISO 27001:2022 |
|---|---|---|---|
| Regular awareness training | Training as TOM | Cyber hygiene and training | A.6.3, A.7.2.2 |
| Phishing simulations with measurement | Proof of effectiveness | Assessment of effectiveness | A.6.3, A.5.36 |
| Report button in Outlook | Incident detection | Incident detection and reporting | A.5.24, A.6.8 |
| Documentation of participation | TOM evidence obligation | Documentation obligations | A.5.37, A.7.2.2 |
| Targeted content for management | Risk-oriented measures | Management responsibility | A.5.4, A.6.3 |
Particularly relevant for NIS2: Article 21 explicitly lists "cyber hygiene practices and training" as a mandatory measure, and the German implementing text adds an obligation to measure effectiveness. Organizations running awareness training without simulation metrics formally satisfy the training obligation but not the measurement obligation — a frequent audit finding. For more detail on NIS2 implementation, see our cluster on NIS2 for Mid-Market Companies.
Frequently Asked Questions
How often should a phishing simulation run in a mid-market company?
An effective frequency consists of monthly simulation waves spread across the entire year, with varying difficulty levels and thematic focuses. Quarterly simulations are the minimum; annual one-off events have demonstrably no learning effect. What matters is distribution throughout the year — not all employees at once, but in waves, so that no word-of-mouth effect arises and realistic responses remain measurable.
Should employees be penalized for clicking on a simulated phishing link?
No. Punitive measures — formal warnings, public lists, salary consequences — are prohibited in any serious awareness practice. They destroy the willingness to report and cause real incidents to go unreported. What works is a learning-oriented approach: after a click, a short, friendly explanation page appears showing the three or four warning signs in the email that the employee missed. Consequences only apply to repeated behavior despite multiple learning opportunities, and even then only in coordination with HR and the works council.
Is e-learning alone sufficient, or are simulations required?
E-learning alone is not enough. Static training modules generate knowledge but not behavior — employees select the correct answer in training quizzes yet still click the link in their real inbox. Only the combination of short e-learning and realistic simulations with immediate feedback demonstrably changes click behavior. Pure simulations without accompanying learning content are also suboptimal — they measure without building.
What about C-level executives and managers — are they included in simulations?
Yes, explicitly. Executive leadership and department heads are the preferred target of professional threat scenarios — think CEO fraud, Business Email Compromise, and targeted spear-phishing. If top-level employees are excluded from simulations, the highest-risk group is missing from the analysis, and it simultaneously undermines the culture because employees notice the lack of role-model behavior. A serious simulation program has dedicated C-level and management scenarios with higher realism.
What frequency is compliant with GDPR and NIS2?
Neither GDPR nor NIS2 specifies a concrete frequency. Both require, however, that training takes place regularly and that its effectiveness is measurable. In practice, data protection supervisory authorities and BSI-oriented NIS2 auditors no longer accept annual one-off training as sufficient when no effectiveness measurement is documented. Quarterly simulations with documented KPIs are regarded as a solid minimum, monthly waves as good practice.
How much does an awareness program cost per employee per year?
For mid-market companies, annual costs range from €15 to €60 per employee depending on vendor and program depth — platform license, simulation templates, learning content, and reporting included. Add one-time setup costs of €2,500 to €12,000, depending on whether the program is self-operated or purchased as a managed service. Internal staffing: one person at roughly 10 to 20 percent of a full-time position is sufficient for ongoing operation in companies with fewer than 500 employees.
How do you measure whether an awareness program actually works?
The most important metric is not the click rate alone, but the report rate — the share of employees who actively report suspicious emails via the report button. A declining click rate without a rising report rate is a weak signal, because employees may simply be ignoring rather than reporting the emails. A program works when after 12 months the click rate falls AND the report rate rises noticeably — typical targets are below 5 percent click rate and above 30 percent report rate.
Ready to train your workforce systematically?
Let's talk for 30 minutes, no commitment. We assess your current awareness maturity, suggest a suitable vendor and frequency model, and deliver a realistic roadmap for the first 90 days — including works council and data protection arguments.
Schedule a 30-minute call