Security Engagement Kit: embedding a lasting security culture

Cybersecurity is a key consideration for all universities, but the user perspective is still largely missing from discussions about what is needed. However, the people in any organisation are the most important driver of improved security. Switch has developed its new Security Engagement Kit based on its experience with the community as well as research findings and international best practices.

Text: Roland Eugster, published on 26. May 2026

A photo of a vintage gaming machine — Photo: Maximilian Wiederhold, Switch

In brief

Approaches based solely on e-learning are increasingly reaching their limits, because knowledge alone rarely leads to lasting changes in behaviour.
Scientific models support this finding: security-conscious behaviour is developed when knowledge, opportunity and motivation come together.
Switch has developed the research-backed Security Engagement Kit based on dialogue with the university community and international specialist networks.
The kit combines awareness, knowledge transfer and empowerment within a practical and customisable programme for universities and research institutions.

Universities and research institutions face the challenge of embedding cybersecurity in their decentralised organisations. Different target groups, limited resources and complex structures make it difficult to establish security-conscious behaviour in a sustainable way.

The latest Swiss SME Cybersecurity 2025 study shows that organisational and behavioural measures often lag behind technical ones. Although the majority of respondents feel secure, only a minority consider themselves sufficiently prepared for a cyberattack. At the same time, IT providers rate their customers’ security lower than their own. They therefore recommend above all that they take cybersecurity more seriously and invest in employee training.

Verizon’s 2025 Data Breach Investigations Report also shows the need for action: the human factor played a role in around 60% of all security incidents.

Knowledge alone has limited impact on behaviour

When engaging with the security communication and learning community, e.g. on Human Centred Security Day, as well as with our international networks such as GÉANT and FIRST, we keep hearing the same thing: there are limits to e-learning alone. While online courses impart knowledge, they rarely lead to lasting changes in behaviour. This is often because the processes that are in place do not adequately support security-conscious behaviour. There is also a lack of tools that make it easier or even possible for employees to work securely.

What behavioural research has to say

Scientific models from behavioural psychology confirm these observations. The COM-B model is particularly well established. It posits that behavioural change always involves a combination of capability, opportunity and motivation. People don’t just need skills to act securely. They also require sufficient opportunity and motivation to internalise this behaviour in a work context.

Modern knowledge databases such as the Security Behaviors Database SebDB also follow this approach. They link specific security-conscious behaviours with real risks and show organisations which measures actually help to reduce human behavioural risks. The key factor is the relevance of the information and its integration into existing workflows, rather than its mere communication.

This is where human-centred security comes in. This focuses on how organisations can make security-conscious behaviour easier, more practical and more relevant for people in their everyday working lives.

From community-driven learning to the Security Engagement Kit

Switch’s Security Engagement Kit has been created on the basis of these insights and extensive practical experience. ‘We weren’t just looking to develop another isolated awareness tool. We wanted to produce a practical, research-backed programme that would strengthen long-term cybersecurity at Swiss universities,’ explains Katja Dörlemann, an expert in human-centred security at Switch. Universities receive a combination of ready-to-run, customisable modules that combine awareness, knowledge transfer and skills.

Switch is deliberately taking a balanced approach here between standardisation and individualisation: while the kit is scalable, it also offers enough flexibility to cover different needs. Universities are not left alone with it. Katja Dörlemann’s team supports them in selecting suitable modules and tools and helps institutions to effectively integrate human-centred security into their day-to-day activities.