Security Awareness Blog

Why Traditional Security Awareness Refresher Training is a Bad Thing

Organizations sometimes ask me is if they should have annual 'refresher' security awareness training, and if so what should it look like? Refresher training is traditionally a sub-set of standard annual training. The idea being, after a person has gone through the standard annual training (say one hour long) the following year they go through shorter 'refresher' training that focuses on key points. The value add is people save time, which ultimately saves organizations money. Unfortunately refresher training does not work and this is why.

  1. Refresher training is a compliance focused concept. If you are training people just once a year you have no hope of changing behaviors.
  2. Refresher training assumes that there has been no change in training content from a year ago. This is a very bad assumption. Threats, technology, business requirements and standards are constantly changing, so to should your awareness program. If what you are communicating this year is simply a repeat or a sub-set of last year you are wasting peoples' time.
  3. Even if a specific topic you covered a year ago has not changed, it is ridiculous to believe people will remember everything about it.

Once a year refresher training is an outdated concept, it is only effective if your goal is just compliance. If you want to change behavior and ultimately secure the human element, awareness needs to be a continuous process of actively engaging people with the latest content.

3 Comments

Posted November 28, 2012 at 3:49 PM | Permalink | Reply

Ken Leeser

Larry,
I think the concept of this post is good but you could have stressed it differently. What you are trying to say (in my opinion) is that security awareness training offered ONLY annually as a refresher is inadequate. Training needs to be reinforced continually as the threat landscape evolves. I believe that an annual review/refresher is not a bad thing unless it is the only thing.

Posted November 28, 2012 at 4:18 PM | Permalink | Reply

lspitzner

Ken, good point. Part of my frustration is the once a year approach. But my frustration is also how content is not actively updated. For refresher training, most organizations will simply take the same training from last year, then simply create a sub-set of that and use it again for the following year. I would be much more for refresher training if they actually update the content. However, if you are actively updating content, a year later there is so much new content that ''refresher' is not really possible.

Posted November 28, 2012 at 4:30 PM | Permalink | Reply

Kati Rodzon

Lance- I think you hit on a very good point. Using a ''refresher' course as the only form of annual training makes some bad assumptions about content and assumes that no new issues have arisen within an organization- that need modification''among other things.
Ken- I have to side with Lance on this one and say that even if refresher courses are used in addition to other stuff, it's a slippery slope to actually execute correctly. It can't be stuck in the middle of the year- because of the points Lance outlined. Also, ''refresher' courses traditionally present the ''no duh' concepts to the users that don't strengthen new concepts or force them to apply them. They actually run the major risk of desensitizing the user to the training thereby making it hard to engage them when new information is presented.
Good stuff Lance.