Organizations sometimes ask me is if they should have annual 'refresher' security awareness training, and if so what should it look like? Refresher training is traditionally a sub-set of standard annual training. The idea being, after a person has gone through the standard annual training (say one hour long) the following year they go through shorter 'refresher' training that focuses on key points. The value add is people save time, which ultimately saves organizations money. Unfortunately refresher training does not work and this is why.
- Refresher training is a compliance focused concept. If you are training people just once a year you have no hope of changing behaviors.
- Refresher training assumes that there has been no change in training content from a year ago. This is a very bad assumption. Threats, technology, business requirements and standards are constantly changing, so to should your awareness program. If what you are communicating this year is simply a repeat or a sub-set of last year you are wasting peoples' time.
- Even if a specific topic you covered a year ago has not changed, it is ridiculous to believe people will remember everything about it.
Once a year refresher training is an outdated concept, it is only effective if your goal is just compliance. If you want to change behavior and ultimately secure the human element, awareness needs to be a continuous process of actively engaging people with the latest content.