Some organizations use a “1 course per month” approach to trickle security awareness training out to their staff – the intention being that they avoid overloading staff with a large amount of training upfront by dividing it up into more manageable chunks, and that the courses themselves act as periodic security reminders.
It’s certainly an effective approach for the first year if you have a fairly steady (low turnover) staff. But there are a number of problems with the approach that I think negate or, at best, reduce its value.
- It’s difficult to think up new topics after the first 12 or so, making each subsequent training module less effective.
- Until the initial program has been fully completed, your training will be incomplete. For instance, you might be subject to a phishing attack before you’ve covered that topic in the training leaving you more vulnerable. Or your auditors may be a little worried that the program is incomplete if they look at your training records.
- Staff joining after the program has started will have missed some of the topics. So they’ll need to do “catch up” training. This isn’t too much of a problem if they join in the first couple of months – they’ll only have a couple of additional courses to do. But 12 months later, the backlog can be considerable.
- This system won’t meet the requirements of regulations or standards that specify completion of a training program at hiring and/or before network access is granted.
Because of these shortcomings, I far prefer an approach based on:
- Comprehensive new-hire training for all staff.
- An annual “refresh-update-test” course.
- Short monthly reminders/nudges using email, presentations at staff meetings, posters …
This seems to cover all of the bases, and is consistent with accepted best practices.