Danske Bank, a leading financial institution serving millions of customers across Northern Europe, started working with OutThink over four years ago as of this writing in December 2024.

Danske Bank has always placed a high priority on cybersecurity. As a leading financial services institution with an extensive network of employees and clients, maintaining robust cybersecurity practices is crucial to safeguarding sensitive data and maintaining trust. Recognizing the growing importance of human risk management in cybersecurity, Danske Bank turned to OutThink, a renowned cybersecurity training and awareness platform.

In the course of working with OutThink, the bank has mounted an impressive Cybersecurity Human Risk Management (CHRM) program, raising the bar in employee engagement and awareness. In this case study, we will explore how Danske Bank achieved transformative results in its cybersecurity culture and awareness with the help of OutThink's innovative solutions.

Danske Bank made a move four years ago from legacy security awareness for the purpose of compliance to a more holistic approach for human risk management. The goal was to reduce risk exposure at the bank in a fundamental way.

The regulatory requirements are much more limited and provide a floor that is too low from a risk standpoint. Leadership at the bank felt they should do more to actually target behaviors of employees in order to lower cybersecurity risk.

Because legacy security awareness is a one-way conversation, an information push from Security to IT users, the overall engagement with users at Danske Bank had been limited.

There are several examples of learning about the root causes of security friction that led the Security team to question some of the business processes that are status quo at the bank. Security can become a point of introspection about inefficiencies that lie unnoticed for years in a large enterprise.

As far as metrics, we are looking at completion rates, engagement metrics and employee ratings, which have consistently stayed quite high – above 4.5 out of 5 stars. We also look carefully at the average time users spend completing their training. We want to boil down the content to its bare essentials in order to minimize the time people spend in the training, without hurting the level of knowledge they can achieve - we’re proud to have decreased time employees spend training by 40%, improving business efficiency, whilst keeping knowledge scores high.

As a principle of engaging our users, we are no longer interested in having one-way push communications with our users. We want it to be a conversation. The facility to collect input from users is integrated very smoothly into OutThink training. We’re able to collect this feedback throughout all OutThink modules without annoying our users. This has proven valuable in steering the direction of the security program, and even overall business process improvements. We’ve collected over 7000 security insights from employees to date!

The indirect way some of the questions are framed within OutThink training – just asking what behaviors people observe in their environment –lends to a consistent flow of unusually truthful information to the Security team about the types of behaviors that exist in the organization.

Seeing who they are reported by provides a heatmap so we know roughly where to look, but without implicating any specific individuals, which can be off-putting. It is the best of both worlds.

We can then also use that indirect input to understand which behaviors are taking hold and which ones still need work in order to improve. This helps set our training direction for future campaigns.

We believe in having the highest quality training possible. We want to make sure it’s customized to Danske Bank, that it’s modern, tech-forward, new and exciting. Rather than the legacy training platforms that are old and outdated.

The root cause analysis that comes with phishing campaigns, along with OutThink team’s support in setting up the initial set of these campaigns, all serves to provide structure to the phishing training.

Tracking the phishing campaigns, we keep an eye on credential capture, click rates and repeat clicker rates.

We also target specific high-risk groups, for example specific departments or users who have a lot of access rights, or those who work with sensitive information.

Do you feel like OutThink has successfully tackled the challenges?