I recently saw a question posted asking how long should security awareness training be. First, I'm excited whenever someone is attempting to better understand their human risk and how to best address it. However, starting with "How long should it be" is the wrong question to ask. Instead, if you want to develop an awareness program that has an impact, the three key question to ask are as follows: WHO: First determine who you are targeting in your training, whose behaviors do you want to change? Most likely you are targeting your employees/contractors, but what about other groups that may require additional security training, such as IT Staff, Developers, Help Desk or Senior Management? WHAT: Once you determine WHO, then determine WHAT you are going to teach them. Take each group and identify the greatest human risks, including how they will likely be attacked. Once you identify the greatest risk with those targets, develop the training that will most effectively mitigate those risks. Different target groups will require different training as they have different risks. Focus on key topics that reduce the greatest amount of risk, ultimately your goal is to create the shortest training possible. HOW: Finally, HOW will you communicate your training? This is when you stop thinking like security professionals and start thinking like marketing. You need to engage your targets, a great indicator of success is when employees ask how their family can take your training. In addition, you want to be continually reinforcing your training throughout the year, at a minimum monthly. You would not patch your computers once a year and consider them secure. People are no different. If you are planning a new awareness program, or looking to improve an existing one, I highly recommend you check out the free Security Awareness planning resources, developed by the community for the community.