One of the key points I covered in my "Securing The Human" presentation at both SANS and NY was the idea of having a monthly or annual security awareness program.  Specifically, which is a better approach, an annual program requiring all employees to go through full training once a year, or a monthly program were a new topic is covered every month?  Each approach has its advantages and disadvantages.

Annual:  An annual program is when all employees get training on all security topics in a single event (usually online training or an onsite workshop).  In addition, this full training is usually required for any new hires.  The advantage with this approach is it ensures that everyone learns the all key topics. The problem is people will quickly forget most of the information.

Monthly:  In this approach organizations focus on continously reminding employees about security risks and how to best protect themselves.  Instead of covering all security topics at once, the training is broken down into smaller modules, with a new module or topic covered every month.  The advantage to this is employees are constantly reminded about security.  The disadvantage is the content is spread out over a year.  If your awareness module on phishing is scheduled six months from now, that means you are vulnerable for the next six months.  If you have an employee that missed the module on data protection, that means they most likely will not get the training for another year.

So, which one do you go with?  You don't, you need to apply both. Have an annual program that covers the full training (ensure your new hires take this also).  This ensures that everyone receives a complete foundation in key security risks and how to protect both themselves and the organization.  Then, you combine this with a monthly program.  Not only does this remind and reinforce key topics, but  this also allows you to update your content, as threats, technology and your organization are always changing. The key to a combined approach is having your full training program broken down into specific topics (I recommend no more then ten).  Then, reinforce each of those topics in the months following the annual training.  Then repeat this process every year, ensuring you update the content.

Is your organization doing something similar or are you using a radically different approach that you think works better?  Let us know!