Kymatio Case Study: How GAM Soluciones Increased Phishing Detection by 70%

To effectively comply with NIS2 and DORA, organizations must transition from reactive security to proactive Human Risk Management (HRM). This Kymatio case study explores how GAM Soluciones, a multinational industrial leader, successfully enhanced their phishing detection capabilities and improved their overall security awareness posture by transforming their workforce into a strategic "Human Firewall" that operates in sync with technical security controls.

For European CISOs and the C-Suite in 2026, treating cybersecurity as an isolated technical concern is no longer a viable strategy. Under current regulations, executive leadership is now personally accountable for the organization's cyber-resilience. This shift often prompts a difficult question: How does NIS2 affect employee management specifically? It requires a transition where security awareness is no longer a checkbox but a measurable strategic asset that provides tangible evidence of due diligence.

GAM Soluciones recognized that achieving a high security awareness ROSI and superior phishing detection requires more than annual videos; it requires a data-driven approach. In the industrial sector, where operational technology (OT) and IT converge, technology alone is insufficient for true resilience. By implementing Kymatio, GAM moved beyond passive training to a model where employees act as active security sensors. Gaining deep insights into everything necessary to manage human cyber-risk allowed GAM to align its 1,200 employees across multiple countries with its central Security Operations Center (SOC), proving that human behavior is a critical component of institutional resilience.

The Initial Challenge: Managing Risk in a Multinational Industrial Environment

The primary challenge for GAM Soluciones was bridging the visibility gap across 1,200 employees in a complex, multinational industrial environment. Before implementing the solution highlighted in this Kymatio case study, the organization struggled with decentralized risk data and low phishing detection rates across its 75 branches and an unsustainable operational burden on IT staff who were manually managing security awareness without clear, actionable metrics.

The Visibility Gap: A Multinational Blind Spot

Managing human risk in the industrial sector is uniquely difficult due to the geographical distribution of staff and the convergence of IT and operational technology. For GAM Soluciones, the core issue was monitoring vulnerability levels across diverse locations and departments simultaneously. Without a centralized dashboard, identifying which specific groups were most susceptible to social engineering was nearly impossible, leaving leadership unable to answer a critical regulatory question: What tools do I need to evaluate digital human risk?

This lack of visibility is a significant liability under the new NIS2 framework. According to the ENISA Threat Landscape 2025, the manufacturing and industrial sectors now face a disproportionately high impact from cybercriminal activity, with nearly 60% of attacks being financially motivated. For GAM, this risk was exacerbated by the rise of sophisticated phishing trends such as AI-generated scams and QRishing, which traditional training programs failed to provide a measurable ROSI or improve phishing detection against modern AI-driven attacks.

Operational Burden: The Cost of Manual Security

Prior to the implementation, manual security awareness processes generated significant administrative friction for the IT department. This manual approach created several critical bottlenecks:

• Inability to Scale: Attempting to educate 1,200 users across different countries manually resulted in generic, infrequent training that failed to change behavior.
• Data Fragmentation: Risk metrics were siloed in different spreadsheets, making it impossible to provide the Board with a unified view of the company’s security posture.
• Reactive Posture: IT resources were spent on administrative follow-ups rather than proactive threat hunting or incident response.

Ultimately, the company realized that industrial sector cybersecurity requires automated resilience. They needed to move beyond simply asking "how does NIS2 affect employee management?" and implement a strategy that could provide real-time evidence of risk reduction while freeing up technical staff for higher-value tasks.

The Strategy: Deploying Adaptive Human Risk Management (HRM)

The strategy focused on maximizing security awareness and ROSI by automating the entire human risk lifecycle through an adaptive HRM platform through an adaptive HRM platform. By evolving from static training to a dynamic "Human Firewall" model, the company was able to reduce their phishing click rate and synchronize employee behavior with technical SOC alerts, managing over 1,200 users without expanding their IT team.

To achieve this transformation, the Kymatio case study highlights a three-step process designed to shift the organizational culture from awareness to active defense:

1. Continuous Risk Assessment: Instead of annual surveys, the platform performs ongoing assessments to identify the specific risk profile of each employee.
2. Adaptive Simulation: Employees receive personalized security awareness training and simulations based on their actual vulnerabilities. This methodology follows the best practices outlined in our complete 2026 guide on attack simulation and security awareness.
3. Real-time Mitigation: The focus shifts from "don't click" to "detect and report," effectively turning the workforce into a real-time extension of the security team.

Synchronized Defense: Turning Employees into Human Firewalls

The breakthrough in this Kymatio case study was the alignment of the human firewall with technical operations to boost phishing detection accuracy. When an employee reports a suspicious email, that data is instantly valuable to the Security Operations Center (SOC). This proactive reporting loop allows the organization to block malicious domains and neutralize threats before they can escalate into full-scale breaches.

This approach aligns with the latest standards in NIST Special Publication 800-50 Revision 1, which emphasizes that modern programs must focus on behavioral change and risk management rather than simple information delivery.

Automated Management: Scaling Without Increasing Headcount

For a multinational with 1,200 users, manual processes fundamentally constrain operational scalability. GAM utilized Kymatio’s SaaS capabilities to automate the scheduling, delivery, and reporting of all simulations. This automation ensured that:

• Consistency was maintained across all geographic regions and departments.
• IT staff were freed from administrative tasks to focus on strategic security projects.
• Executive leadership received automated reports showing the tangible security awareness ROSI and compliance progress.

Results and Metrics: Measurable Human Resilience

The results of the GAM Soluciones success story demonstrate that a data-driven HRM strategy delivers a massive security awareness ROSI by improving phishing detection and human risk visibility. The organization achieved a 70% increase in employee-led threat detection, proving that human resilience can be measured, optimized, and aligned with technical security operations.

Measurable Transformation: Turning Vulnerability into Intelligence

The most significant shift in this Kymatio case study was the transition of the workforce into an active layer of phishing detection from a passive target to an active "human sensor" network. By implementing personalized training paths, GAM Soluciones didn't just lower their risk; they gained a new stream of threat intelligence.

The metrics demonstrate a significant security awareness ROSI, showing a profound impact on both security posture and proactive phishing detection:

• 70% Increase in detection: Employees are now reporting seven out of ten malicious emails directly to the security team, drastically reducing the "dwell time" of potential threats.
• 50% Reduction in IT workload: By automating the awareness lifecycle, the IT department reclaimed half of the time previously spent on manual training administration.
• 60% Improvement in visibility: Executive leadership now has access to real-time dashboards that quantify human risk by department, region, and risk profile.

Calculating Security Awareness ROSI in a Regulated Environment

For companies under NIS2 and DORA, ROSI is not just about avoiding the cost of a data breach; it is about demonstrating a proactive defense to regulators. By achieving a 70-percentage-point improvement in employee-led phishing detection, GAM Soluciones significantly lowered their "attack surface" without increasing headcount.

As Gartner highlights in their research on human-centric security design, the future of cybersecurity lies in reducing friction and empowering users. This case study serves as a blueprint for organizations crafting a phishing simulation masterplan focused on ROSI and compliance.

Juan José Rodríguez, CIO of GAM, perfectly summarized the strategic value: "The physical firewall is now aligned with our human firewall."

C-Suite Responsibility: Meeting NIS2 and DORA Standards Through Evidence

Under NIS2 and DORA, executive responsibility has shifted from passive oversight to a legally binding mandate. To ensure NIS2 compliance, the C-Suite must now provide tangible, auditable evidence of human risk management, including verified training records and real-time KPIs that prove active supervision of the organization's cybersecurity posture.

Evidence-Based Security: Leveraging Risk Metrics for Compliance Verification

The NIS2 Directive (Article 20) is explicit: management bodies are responsible for the implementation of cybersecurity risk-management measures. In the event of a breach, "we didn't know" is no longer a valid defense. As this Kymatio case study demonstrates, leadership must have direct access to human risk metrics to exercise executive responsibility effectively.

By utilizing Kymatio’s centralized dashboards, GAM Soluciones was able to provide its Board with a clear view of how their security awareness ROSI translated into lower organizational vulnerability. This level of transparency is critical for navigating the new era of executive personal responsibility under NIS2.

Centralized Control: Consistent Standards Across Borders

For multinational industrial leaders, the challenge is maintaining a high security standard across different legislative and geographic landscapes. A centralized HRM platform ensures that:

• Audit trails are unified, making it easier to produce a complete guide of audit evidence and training records for regulators.
• Compliance is standardized, preventing "weak links" in regional offices from compromising the entire corporate infrastructure.
• Management can prove due diligence by showing consistent simulation frequency and improvement rates across the entire 1,200-employee workforce.

Conclusion: Scaling the Human Firewall Across the Enterprise

Scaling a human firewall and improving phishing detection across a multinational enterprise requires transitioning to a data-driven security awareness model from manual, sporadic training to an integrated, automated Human Risk Management (HRM) platform. As demonstrated by this Kymatio case study, automating human risk management is the most efficient path to reduce phishing click rates while generating a measurable security awareness ROSI that satisfies both technical SOC requirements and NIS2 legal mandates.

GAM Soluciones demonstrates that sustainable resilience requires more than static compliance measures, but through visibility and behavioral change. By empowering employees to act as active security sensors, the organization effectively closed the gap between human vulnerability and technical defense. Automating this process is the only way to maintain consistent security standards without overwhelming your IT staff or your budget.

Do not wait for a security incident to reveal the limitations of manual testing. Future-proof your organization by moving toward a model where your workforce is your most effective detection layer. To ensure you select a platform that meets the technical and regulatory demands of 2026, consult our expert checklist for validating phishing simulation providers and begin building a resilient, compliant infrastructure today.

[Embed video: Juan José Rodríguez, CIO de GAM Soluciones, nos habla de ciberseguridad de empleados y Kymatio.]