CAS Cyber Risk Awareness – Review after the First Implementation

In Switzerland, too, we read almost daily in the newspapers about cyber-attacks on companies and other organisations. These attacks often affect customer or employee data. Technical protective measures and processes are important for preventing such attacks. However, many attacks target the ‘human’ factor, such as phishing via email to obtain employee login details. It is now widely accepted that better technology and security policies alone cannot provide effective protection against attacks. Instead, employees must also be involved. That is precisely the goal of our continuing education branch at CYREN^ZH.

But how do you do that? Large organisations such as Switch and Swisscom have been addressing this issue for a long time, offering training courses, for example. Such awareness measures are becoming mandatory for an increasing number of organisations, often through regulatory or insurance requirements. Cybersecurity and data protection awareness has also been a research topic for some time, particularly in the field of human-centred cybersecurity. However, other disciplines, such as psychology and risk and accident research, are also examining ways to encourage safer behaviour. This is reason enough to launch a continuing education programme at a university of applied sciences that is open to everyone and combines practical experience with scientific findings.

Consequential latte

Over a latte in August 2023, Katja Dörlemann and Fabio Greiner (both from Switch) and I, Nico Ebert (from CYREN^ZH / ZHAW) discussed the idea for a new CAS Cyber Risk Awareness course. They were immediately on board, and by mid-January, we had started brainstorming together with Cornelia Puhze (also from Switch). In the absence of any existing curricula or established textbooks, we started from scratch, and the result was a very preliminary, rough concept for a course. It was clear to us that this would not initially be a “bread and butter” course for the masses. Our target group – individuals who assist others in becoming more ‘cyber secure’ online – remains relatively small in German-speaking Switzerland. Nevertheless, everything starts small. We wanted to be the first and we believe in the topic. It’s also about filling your own life with things that bring you joy.

We recruited additional experts and lecturers from practice and academia who liked the idea. They developed content, provided feedback and promoted the course diligently. Their areas of expertise range from risk perception and psychology to communication and education, as well as providing insights into the safety culture at nuclear power plants. ZHAW also expressed their support and confidence in the new CAS, which launched in March 2025 with nine participants.

Katja Iseli (Kernkraftwerk Leibstadt AG)

Conclusion of the first round of implementation.

Following the initial implementation, it can be concluded that the original idea is good, and the participants are satisfied. We have developed and discussed some exciting projects from participants’ organisations, some of these have been realised. For example:

Secondary school teachers were instructed to lock their screens when leaving their workstations. Personal interviews revealed that awareness of the risks involved was not particularly high in some cases. Some teachers, for instance, assumed that the data on their computers would not interest hackers. Given the variety of computer types, it was also unclear how to conveniently lock the screen. Based on a comprehensive analysis in the first module, a broad theory-based intervention involving training, stickers, goodies and other measures was developed in the second module. Teachers were made aware that the data on their computers was critical (for example, students could improve their grades unnoticed), and simple ways to lock the screen were demonstrated. Small stickers and other incentives ensured that the safe behaviour became a long-term habit. Measurements taken at the school after the intervention showed a change in behaviour.

I found the CAS Cyber Risk Awareness course very successful in terms of both content and lecturers, and I will be happy to recommend this continuing education programme to others!

Simone Zemp, Co-Schulleiterin und Informationssicherheitsbeauftrage, Sekundarschule Hausen am Albis

The CAS has helped me personally a great deal because the knowledge I gained can be applied not only in IT security, but also in everyday situations.

The other groups worked on equally exciting projects: secure assignment of admin passwords by network administrators in an IT company, installation of secure software by IT administrators even under pressure, and the secure handling of USB sticks were further topics.
Finally, a big thank you to all participants, lecturers, and the ZHAW management (Thierry Volery) for their trust. Special thanks to the lecturers:

Benjamin Ambühl (CYREN^ZH / ZHAW)
Angela Bearth (HF Partners)
Marcus Beyer (Swisscom)
Katja Iseli (Kernkraftwerk Leibstadt AG)
Melanie Knieps (CYREN^ZH, Universität Zürich)
Julia Maria Kornfeind (ZHAW)
Katharina Krämer (ZHAW)
Annette Pfizenmayer (ZHAW)
Thierry Schaltegger (CYREN^ZH / ZHAW)
Tobias Schoch (AXA Schweiz AG)
Mathias Toth (ZHAW)

A huge thank you also goes to Switch: without your commitment, the CAS would never have been possible. We are all looking forward to the next edition in spring 2026 – the first registrations have already been received.

Cornelia Puhze, Katja Dörlemann and Nico Ebert