How often do you train on security awareness?

Travis Good
May 24, 2022

How often do your employees train on the same subject?

When it comes to security awareness training and privacy training for regulations like HIPAA, there are a two different ways to approach this question:

  1. Train frequently enough to meet requirements; or
  2. Train frequently enough to make it stuck.

Meeting training requirements for SOC 2 or HIPAA or PCI or state harassment rules is the minimum. And it’s usually so infrequent (annual is the most common) as to be ineffective at actually teaching people anything or influencing behaviors. It does check the box, which has value because checking the box is a necessary, albeit hand-wavy, approach to proving we care about these topics (security, privacy, harassment, etc.)

If the topics really matter, training should be done frequently enough to make it stick. But how frequently is enough to make something stick?

“Make it stick” is open-ended and hard to quantify. When it comes to security awareness training, it’s easy to say “we meet SOC 2 training requirements by training all employees on security awareness once per year”. It’s a lot harder to say “we train all our employees on security awareness topics each week and this results in better cybersecurity posture for our company”. Unfortunately, if it’s hard to quantify, it’s also hard to come up with and stand by an ROI for going beyond checking the box.

While there are some (mostly) objective measures to quantify things like human risk, these are hard to directly correlate with training. Instead, why not use data from well designed research? There’s well established research on frequency of teaching and retention, lots of it.

The most interesting studies analyze specific skills based on training at various frequencies. This study of CPR training is a good example. Excellent CPR performance is shown at various training intervals:

  • Monthly training - 58% excellent.
  • 3 month training - 26% excellent.
  • 6 month training - 21% excellent.
  • 12 month training - 15% excellent.

It’s easiest to visualize the trend in the data. Check out the chart below.

It’s amazing that training effectiveness drops 52% when you change training from every month to training every 3 months (quarterly) but then effectiveness only drops 19% when you change training from every 3 months to every 6 month. It almost flat- lines, at least relatively, when you push training frequency out beyond training every month.

This is why training monthly is the minimum to make something stick. And it’s why many training companies, like NINJIO, offer monthly lessons. These monthly lessons are typically topical and relatively short, taking between 5 and 15 minutes to complete.

Monthly training is way better than checking the box with annual training; but, the pace of change in tech, the flow of work, and cyber attacks is so fast today that even monthly topical training is not frequent enough to truly be effective.

The topical nature is where it falls down. You can do a training on spotting fake links this month but it’ll be a year before that topic is covered again. The above training data on CPR training is measuring effectiveness of frequency of the same training. The way monthly security awareness is done is topical so it’s not monthly security awareness training but monthly security awareness training on a specific topic.

In an ideal world, one where employees learn and adopt security hygiene best practices, staying ahead of attackers, security awareness training should be continuous. The ideal state of this training is that it is seamlessly integrated into the work people are doing. It’s not lessons or courses. It’s just a part of the workflow.

Haekka was built to add this security awareness layer to the flow of work. We deliver training weekly at a minimum and also based on triggers from things employees are doing - sharing a file in Google Drive, adding a guest to Slack, recording a Zoom meeting.

Checking the box on training is not enough.