Google the question “How often should we do cyber security training”. You are sure to find multiple sites that recommend every 4-6 months.  And most suggest that even more often would be ideal. But really, who has that kind of time? Well, when it comes to the security of your organization, your employees are both your greatest asset and greatest liability. Knowing that, maybe you can see why it’s critical you find that time.

The Forgetting Curve

Time for a little history and/or psychology lesson (bet you weren’t expecting that today!): Back in 1885, German psychologist Hermann Ebbinghaus hypothesized that memory retention declines over a very short period of time – something now known as the Forgetting Curve. He found that in as little as 20 minutes, 40% of what’s been learned has already been forgotten. In fact, humans tend to halve their memory of newly learned knowledge in just a matter of days or weeks.

However, he also discovered that regularly spaced repetition of the learned material over a period of time increases the percentage of knowledge retained:

The not-so-magic numbers

Sure, that all seems like common sense. So why do over 60% of organizations report not conducting regular, frequent cyber security training?   (And it’s especially puzzling when you realize that 85-90% of all breaches start with a human element!) That 4-6 month recommendation wasn’t just pulled out of a hat. It comes from a study by USENIX: Employees received training focused on identifying phishing attacks. They were then asked to identify phishing emails at intervals over the year that followed. They found that most employees were still able to spot phishing emails four months after the training. However, they started to forget what they had learned after just six months. So considering the potentially staggering consequences of a ransomware attack caused by simple human error, you would think everyone would be scrambling to come up with routine, frequent cyber security awareness training programs for their staff.

Make it fun

It doesn’t have to be that daunting a task. Training can be conducted in the form of games. I’ve written more than one post with ideas for phishing games over the past couple of years. Employees (well, humans in general) are more motivated to learn if they are having fun while doing it.  And heck, it’s more fun for the folks doing the training as well!

Back to the basics

It all comes down to the simple ABC’s of cyber security training: Awareness, Behavior and Culture.

• Awareness comes from the routine reminders of what to look out for in phishing messages (you could conduct training just based on the numerous posts we’ve written on the signs of a phishing message). Awareness also comes from making sure your cyber security policies are up-to-date and that all staff have easy access to them.
• Behavior refers to both what NOT to do (e.g., click on an attachment from an unknown source) and what TO do (e.g., notify IT staff of potential phishing messages).
• Culture is probably the most important factor. A culture of cyber security awareness needs to be evident from the very top down. If staff don’t believe that the highest level of management cares about the organization’s safety, why should they?

So the honest answer to “How often should we do cyber security training” is this: As often as you can. After all, hackers are constantly upping their game with new tricks, so your organization needs to also remain fluid with its training.  If you can maintain an ongoing culture of awareness through reminders, reviews, phishing tests and occasionally more formal forms of training (including those games!), your organization should be in good shape.