Cybersecurity training courses for the manufacturing and transport industries: the building blocks of the CYRUS project

The reliance on digital technologies has surged in recent years, making cybersecurity more critical than ever. This is particularly true for the transport and manufacturing industries, which face increasing cyberattacks while investment in dedicated cybersecurity training remains low. Small and medium-sized enterprises (SMEs) are increasingly targeted by sophisticated cyberattacks, driven by evolving tactics, techniques and procedures (TTPs). Coupled with geopolitical uncertainty and rapid technological change, businesses face growing complexity in securing digital systems, making effective training a critical priority. Furthermore, the NIS2 Directive and the Cyber Resilience Act (CRA) put training as a key element and among the duties of organisations. Despite this, many organisations question the relevance and impact of existing training methods.

The CYRUS project addresses this challenge by answering key questions: How should employees be trained? What topics should be covered? Which methods work best? And who should receive training? CYRUS bridges this gap by developing a cybersecurity training programme tailored to the needs of the transport and manufacturing sectors, with a strong focus on SMEs.

A dynamic training approach

The cybersecurity landscape is constantly evolving, requiring a dynamic approach to training. CYRUS responds with a set of training principles tested in pilot training courses:

• Initial training needs assessment to analyse training needs;
• Regular re-assessment and updates to maintain relevance and anticipate emerging cybersecurity trends;
• Return on experience evaluation for continuous improvement;
• Rapid adaption when behaviour changes or get outdated;
• Instructional design based on andragogy and accessible language (e.g., ISO 24495-1:2023).

Grounded in pedagogy, andragogy and heutagogy, CYRUS employs a user-centred design to ensure relevance, flexibility and learner autonomy, addressing the demands of continuous learning in an ever-changing digital landscape. The programme uses real-life scenarios and customisable learning sequences to engage diverse roles – ranging from non-technical administrative staff to hands-on technical staff – across multiple languages. Learning methodologies are grouped into four categories: non-interactive, interactive, shared and evaluation and monitoring, enabling targeted support for different learner needs.

Pilot results demonstrated high engagement and increased learner confidence, highlighting how well-designed, practical training can transform cybersecurity awareness from a compliance obligation into a strategic advantage.

Training as a tool for defence and risk reduction

Training is a key strategy to mitigate cyber threats caused by human error, as it builds awareness, skills and knowledge that influence behaviour and reduce risk. However, the link between training and actual cyber risk reduction remains unclear. Research shows that cybersecurity training programmes often suffer from low retention and inconsistent impact on actual behaviour.

While some studies claim up to 80% reductions in phishing susceptibility, others are less optimistic – often because positive reports originate from vendors promoting their solutions. Common reasons for training failures include poor engagement, low content quality, language barriers, neglect of adult learning principles and interference with daily operations.

Innovative methods like gamification and nudging show mixed results in cybersecurity because effective defence requires deep behavioural change, enabling individuals to override instinctive reactions during social engineering attacks that exploit urgency, fear or trust.

Interestingly, traditional methods such as flyers, infographics, videos and short courses often outperform experimental approaches. Yet, training remains expensive and time-consuming and is frequently deprioritised, especially by SMEs, which prioritise competitiveness and cost efficiency. Even large organisations sometimes avoid non-mandatory training because of productivity concerns.

Concept and methodology: the three-step approach

To deliver a training framework for enhanced cybersecurity skills, the project partners applied a three-step approach.

1. Analysis of cybersecurity skills, competencies, training needs and skill gaps: In the first year, the project team analysed cyber threat scenarios and workforce profiles in the transport and manufacturing sectors to identify cyber risks and training needs. This formed the basis for the Cybersecurity Competence Framework, which defines the skills, behaviours and knowledge required for individuals and organisations to strengthen cybersecurity capabilities. It supports organisations, HR managers and training providers in identifying cybersecurity competencies, skills and knowledge for both technical and non-technical roles while fostering a cybersecurity culture. The framework incorporates best practices tested by CYRUS and emphasises personalised, customised, and work-based training. It also establishes a common terminology for cybersecurity roles across sectors, enabling the design of effective cybersecurity training programs.
2. Design and development of the training courses: The training design combines pedagogical, andragogical and heutagogical principles to address diverse adult learner profiles. Key features include:
   1. User-centred design, including learner personas, ensuring content relevance
   2. Real-world cybercrime and business scenarios
   3. Modular structure for adaptive learning and learner autonomy, reflecting heutagogical principles
   4. Cyber range exercises for practical, hands-on experience

Andragogy focuses on adult learners’ needs: self-direction, practical relevance and leveraging prior experience to enhance engagement and real-world applicability. Given the rapid evolution of technologies and cyber threats, heutagogy extends these concepts by promoting learner autonomy, goal-setting and co-creation of knowledge. This approach is supported by an adult learning framework, combining non-interactive, interactive, shared learning and evaluation/monitoring strategies. These methods maximise learning retention and engagement by adapting to diverse learner needs.

All content follows the ISO 24495-1:2023 Plain Language standard, ensuring clarity and accessibility for participants across technical and cultural backgrounds.

3. Iterative validation of the training courses: The training courses were piloted with representatives from the target sectors, SMEs, professional associations and training providers to collect feedback and fine-tune content. Early result show strong engagement, especially with scenario-based modules. The pilot delivery enhanced the effectiveness of the final training courses, that are now available here. 

Key outcomes

The result are tailored cybersecurity training courses. Developed for the transport and manufacturing sectors, the courses are designed based on three main principles:

• flexibility, achieved through on-the-job e-learning sessions that optimise training schedules
• personalisation and customisation, ensuring that training pathways are tailored to the roles so that each trainee acquires the skills they need at their own pace
• continuous involvement of SMEs, key stakeholders in the TM sectors, training providers and educational bodies

About the project

CYRUS stands for “A personalised, customised, work-based training framework for enhanced CYbeRsecurity skills across industrial Sectors” and proposes a novel cybersecurity training programme to increase awareness and enable employees in the transport and manufacturing industries to effectively respond to and mitigate cyber threats and attacks. In the project, eleven project partners from nine EU countries work together. It started in January 2023 and ends end of 2025.

CYRUS is co-funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Health and Digital Executive Agency. Neither the European Union nor the granting authority can be held responsible for them. CYRUS has received funding from the European Union’s Digital Europe Programme under grant agreement No 101100733.