Hugo Boss modernizes global security awareness training and reduces user risk with Dune Security

About

HUGO BOSS is a global leader in premium apparel, with over 17,000 employees spanning 130+ countries. Headquartered in Germany, HUGO BOSS operates a wide-reaching network of retail stores, online platforms, and partner channels, requiring consistent security standards across a diverse international workforce.

• Strengthened board reporting capabilities with measurable KPIs around user behavior improvement.

Challenge

Siloed and dated training materials lacked flexibility, relevance, and reach

As CISO at HUGO BOSS, Stefan Baldus’ top priority is protecting company information across every region. In today's advanced cybersecurity landscape, he understands that technical defenses alone aren’t enough — he also needs to ensure employees are armed with the skills to identify and prevent these modern threats. 

However, the company’s legacy security awareness training (SAT) vendor left major gaps. “It didn’t have the flexibility to properly adapt our training or the breadth of attack simulations to challenge users,” he explains. “And without personalization or customization for specific risk areas, our employees didn't relate to the training.”

His primary concern was the system’s outdated content and limited scenarios that “didn’t reflect how attacks work today.” Not only did employees receive the same static PowerPoint-based training year after year, but the phishing simulations were equally one-dimensional. “Every user got the same email — there was no way to differentiate,” he says, leaving the company vulnerable to other, very real attempts.

HUGO BOSS’ global scale presented additional barriers. Even within the Americas, where Dune Security is currently rolled out, non-native English speakers would routinely delete English-only materials without engaging. With training previously limited to English or German, many international employees were at a disadvantage in grasping complex cybersecurity concepts.

And when employees did engage with the training, the overall learning experience fell short. "If users failed a simulation, they'd receive a quiz that didn't connect to the specific phishing email they'd interacted with," Stefan explains. This made it difficult for them to understand what they did wrong or learn from their mistakes. As a result, employees just went through the motions, completing exercises without changing their behaviors.

This disconnect alone posed significant risks. But a lack of meaningful metrics ushered in its own complications. Without clear KPIs to quantify risk reduction, they couldn’t prove security awareness within the company or advocate for broader investments. “As CISOs, we live by our KPIs,” Stefan notes. “It’s how we demonstrate that what we’re doing is working — that risk is going down, and our people are getting better at spotting threats.”

He knew HUGO BOSS needed a modern solution, one that could deliver flexible, localized content, garner real engagement, and provide measurable insights into user behavior across a global footprint. Dune Security offered exactly what Stefan was looking for.

/quote-1

Solution

User-adaptive training, flexible localization, and real-time risk measurement with Dune

HUGO BOSS partnered with Dune to overhaul their SAT approach and design training that employees could truly connect with in their day-to-day roles.The experience was fast and frictionless from day one — deployment took less than 30 minutes, and new users were added quickly with minimal technical lift or pull on Stefan’s team.

Instead of generic, one-size-fits-all content, HUGO BOSS can now customize their material to any user role, regional need, or real-world threat with Dune’s microtraining modules. These bite-sized sessions keep training lightweight, focused, and easier to absorb, increasing engagement by transforming security training from a burden into a relevant, meaningful task. And since this content is continuously updated, the team has officially put their PowerPoint presentations to rest, redirecting their focus to new, higher-impact security initiatives.

The company’s attack simulations have also become more effective with Dune. Unlike the previous system’s single-format approach, Stefan can tailor phishing scenarios to specific user profiles, preparing employees for any real-world threat, from CEO fraud to drive-by downloads.

This flexibility has been key to early adoption in the Americas. As the rollout expands, Dune’s localization capabilities will enable HUGO BOSS to deliver trainings and simulations in multiple languages, ensuring the program can scale effectively worldwide. Dune’s platform also provides the measurable outcomes the team was previously missing. Users’ risk scores are calculated in real-time, based on factors like training completion and phishing performance, delivering unprecedented visibility into individual and department-level progress.

At the executive level, real-time KPIs around user behavior have transformed board reporting and security investment conversations. Stefan and his team can now confidently demonstrate measurable improvements in user risk reduction, helping leadership understand the tangible value of ongoing security awareness initiatives. “Showing the board a measurable improvement, even a 15% gain, helps them understand the impact and support for the program,” he shares.

With Dune, cybersecurity training at HUGO BOSS has shifted from a check-the-box compliance task to an adaptive, measurable, and employee-centric learning journey. “If people don’t enjoy it, they won’t click. If they don’t click, they don’t learn,” Stefan says. “Dune helped us turn training into something they actually want to engage with.”

/quote-2

Results

Hugo Boss strengthened employee engagement, reduced user risk, and improved global training scalability

Since migrating to Dune, HUGO BOSS has seen major improvements across key security awareness metrics. Risk scores have measurably decreased, both at the individual user level and across broader regions, as employees demonstrate stronger behavior during phishing simulations and training exercises. HUGO BOSS projects to see a 30% reduction in user risk scores projected within 45 days through localized, role and risk-specific microtraining.

Training completion and engagement rates have also dramatically improved as employees began actively interacting with simulations. Staff who once passively completed mandatory exercises now proactively reach out to security teams with questions and feedback, showing genuine curiosity and ownership over cybersecurity best practices.

This shift in behavior reflects not just compliance, but a more security-conscious culture throughout the organization. “That didn’t happen with the old system,” he continues. In tandem, Stefan’s team has experienced a 75% decrease in time spent managing training logistics.

With Dune’s multilingual support (5 languages launching) and low-lift onboarding, HUGO BOSS is preparing to scale its security awareness program into additional regions, including APAC and EMEA. The team also plans to integrate Dune’s awareness metrics deeper into its broader risk management framework — expanding localized phishing simulations to ensure every employee, regardless of language, is equipped to recognize and respond to modern threats.

/quote-3