How Often Should Security Awareness Training be Conducted?

As cybercriminals become increasingly sophisticated in their nefarious methods, it is crucial for organisations to invest in security awareness training for their employees. But how often should this training be conducted to ensure its effectiveness?

In this blog post, we will explore the science of security awareness training and offer a guide to best practices regarding the frequency of training programs.

Ongoing Security Training

When learning a new skill, consistent practice adds up. Well, as many studies have found, the same is true for employees and information security awareness training.

While providing employees with a single, or even annual training session may have some level of effect, put simply, a one-time or infrequent training approach is insufficient.

To ensure that the information security awareness-based knowledge is retained, many researchers (e.g., Caputo, et al., Kumaraguru, et al., and Jampen, et al.) have concluded that an information security program needs to be designed as an ongoing process - ideally one which is integrated into users' daily workflow.

Furthermore, knowledge gained from information security awareness training needs to be put into continual practice, in a way which allows individuals to retain this information and adopt these new behaviours into routine.

Persistent Training

Termed by some as 'Persistent Training', there is still some level of discussion about optimal regularity.

In the 2020 study, An Investigation of Phishing Awareness and Education Over Time: When and How to Best Remind Users, researchers found that users' ability to correctly identify phishing emails significantly improved directly after and four months after the deployment of training programme; though these anti-phishing skills were not, unfortunately, present six months after the educational intervention.

"Training should be designed... as an ongoing process within an organisation... Each user should be exposed to such training at least once every 5 months."

Reinheimer, B. et al.

Although biannual training may sound frequent, techniques such as embedded training, which includes simulated phishing attacks linked to resources, means relevant training can be conducted while minimising potential disruption or annoyance.

A further bonus of this form of training being that organisations can gather ongoing information and metrics as to how well their staff can identify and avoid various information security threats, while also steadily and deliberately increasing the breadth of users' knowledge.

Key Factors Influencing Training Frequency

While multiple studies indicate that a twice-yearly approach to information security awareness training would likely be best in most scenarios, there are some further considerations that come into play when determining the optimal frequency of security awareness training for employees:

1. Cyber Threat Landscape: The current threat landscape plays a significant role in determining training frequency. If there is a surge in phishing attacks or other cybersecurity threats, it may warrant more frequent training sessions to ensure that employees are adequately prepared. Specially, in this case, simulated phishing campaigns.
2. Regulatory Requirements: Certain industries and regions have specific regulatory requirements that mandate regular security awareness training (e.g., GDPR, ISO 27001). Compliance with these regulations often dictates the frequency of training sessions.
3. Employee Turnover: High turnover rates within an organisation can necessitate more frequent training to ensure that new employees are quickly brought up to speed on security protocols.
4. Emerging Threats: The emergence of new threats or attack vectors should trigger immediate training updates. For example, if a novel form of phishing attack becomes prevalent, organisations should respond promptly with targeted training sessions.
5. Technological Changes: Advances in technology can introduce new security challenges. Whenever an organisation implements significant technological changes or upgrades, it's essential to provide training to address potential security implications.
6. Feedback and Assessment: Regular assessments and feedback from employees can help gauge their awareness levels and identify areas where additional training is required. This feedback-driven approach can inform the timing and content of training sessions.

The frequency of security awareness training should be tailored to an organisation's unique needs, considering the factors mentioned above. While annual training is a baseline requirement, it's essential to remain flexible and responsive to changing threats and circumstances.

Ultimately, a proactive and adaptive approach to security awareness training is the key to ensuring that employees are well-equipped to protect against evolving cyber threats. By staying vigilant and informed, organisations can significantly enhance their cybersecurity posture and reduce the risk of falling victim to information security attacks.

Hut Six Training

Any organisation can fall victim to an information security incident. Despite technical precautions that help mitigate this risk, your employees are the most immediate and vulnerable target for malicious actors - and your first line of defence.

Now more than ever, you rely on your people making the correct choices in the face of security decisions. Thankfully, with the right knowledge, many of these human vulnerabilities can be easily addressed.

Hut Six's Security Awareness Training solution reduces the risk of a successful cyber-attack. Preventing financial losses, damage to reputation, potential fines, and litigation, robust and engaging information security training is an essential for any organisation looking to improve their information security culture.