In past posts I've talked about some of the strategic issues you need to consider when planning your awareness program, including building your Steering Committe, defining your security awareness goals, and documenting any awareness policies. Today we look at time limitations. People often forget this issue, how much time do you have to communicate your awareness program, especially the primary (or annual) training. The end goal is to not only make your training as effective as possible, but as short as possible. You only have so many resources for communicating. In addition, people can only remember so much information. Also, you may have other limitations set by your organization, perhaps set by Human Resources or Training department. However there is also a direct dollar cost to training. The longer your training is, the greater the man hour costs. For example, lets say you have 5,000 people in your organization, averaging $30 an hour. One hour of employee time costs the organization $150,000 in lost time. If your annual awareness program is two hours long, then that is costing your organization $300,000. This is one of many reasons why I have seen organizations moving to shorter training sessions. By reducing training to thirty minutes you save $225,000. Now while this is a limitation, you can also use it to your advantage. You can build an effective business case with management. For example perhaps if they increase your awareness budget by $100,000, you can create far more engaging training that has greater impact, and yet reduces the training time to thirty minutes, thus ultimately saving $125,000.
Ultimately the question is not how long your training is, but how effective it is. Are you not only meeting compliance requirements, but changing behavior and reducing risk. However, by focusing on shorter content that focuses on key topics with the greatest ROI, you not only have greater impact but save money.