Written by Anders Schultz-Møller

Cyber security awareness in Danish organizations: Here’s what you need to know

Cyber threats in Denmark are not an “if”. It’s a “when”.

In the national threat assessment The cyber threat to Denmark the Danish Social Security Agency assesses that it is very likely that Danish organizations will be exposed to attempted ransomware, digital fraud and DDoS attacks. These are not niche incidents. They have become a regular part of the threat landscape.

At the same time, the approach to compliance has changed from ‘we have a policy’ to ‘prove it works in practice’. The NIS2 directive plays a big role in this. The original registration deadline was October 1, 2025, so today, new entities must register within two weeks of becoming subject to the rules.

This is exactly where many organizations fall into the same trap: cyber awareness becomes an annual e-learning checkup that yields great completion rates but doesn’t change behavior.

Why classic awareness often doesn’t work

(although it seems to work)

Most programs measure at the easiest level: completed or not completed.

The problem is that knowledge doesn’t automatically turn into action, especially when an employee has a busy schedule, a trustworthy email and an “urgent” signal in their body.

A meta-analysis from Leiden University finds that cybersecurity training generally improves knowledge and other precursors of behavior, while the effect on behavior is more moderate, pointing to the need for ongoing reinforcement and designs that maintain habits over time.

And when looking broadly at breach data, the “human element” is still a key driver. In Verizon‘s 2025 Data Breach Investigations Report, human involvement is around 60% in this year’s dataset.

The practical conclusion: You can’t “e-learn” your way out of risk. You can design your way out of it.

A better approach

Turn cyber awareness into a behavioral system

Think of cyber awareness as a three-part system:

1. Baseline (common minimum level)
2. Reinforcement (small, repeated learning moments)
3. Measurement (evidence, KPIs and feedback loop)

It also matches the direction NIST points to, where learning programs should be lifecycle-based and continuously improved, not static “once a year” campaigns.

1) Baseline

This is where a short, modular course makes sense, because you get a consistent foundation throughout the organization, also across languages and teams.

In collaboration with BDO, Grape has put together an online IT security course with 9 modules and a duration of approximately 30 minutes, in multiple languages.

It’s a strong baseline when you need something that can be implemented quickly and documented.

2) Reinforcement

Once the baseline is in place, the next goal is simple: make the right micro-reactions happen on autopilot.

It’s typically about:

• Stop and check for payments, supplier changes, changed account numbers and “quick approval”
• Report early (better once too much than once too little)
• Confirm in second channel for CEO fraud and pretexting
• Lock down standards: MFA, password manager, updates, data sharing

Reinforcement can be monthly mini-scenarios, short quizzes, a simple “example of the week” email, or manager nudges in team meetings. The point is repetition without draining the calendar.

3) Measurement

Here are KPIs that typically make sense because they can be documented and explained:

• Reporting rate: how many suspicious incidents are reported? (higher is often better in the beginning)
• Time to report: how quickly does a suspicion come in?
• Verification behavior: how often are “payment changes” double-checked?
• Culture indicator: are people scolded for reporting or are they thanked?

It’s also the type of “proof” that makes audits easier because you can show a development, not just an intention.

If you want to roll out a modular program quickly and have something you can document, take a look at Grape’s IT security (built with BDO as subject matter expert).