Let’s say that you’ve been tasked with establishing a security awareness program to comply with the regulations that apply to your organization. You set up a series of courses – probably web-based because you have too many students and insufficient resources to run classroom sessions (although this article applies just as much if you’re doing the training for a smaller group of students in a classroom) – and covered all the essentials of security awareness. You’ve tested your students to see that they understand the material, recorded all of the results, and generated all the reports that your auditors and management wanted to see to prove that the program was in place. Well done!
It’s now a year later and you have to do it all again to comply with the annual retraining requirement in many of the regulations. What’s the best way to do this?
Option 1 – Make Them Do It All Again
You could simply run the same training classes again. But you and I know that’s not going to work. Students will be annoyed, the materials may not be up-to-date, and the auditors may question whether the retraining has actually achieved anything. This one (like the dodo) just won’t fly!
Option 2 – Rewrite Everything
Perhaps you should rewrite (or ask your training vendor to rewrite) all of the training materials so that they cover the same topics but in a different way?
I’m here to tell you that’s probably not the best way. Why not?
- You’ll still annoy your students – they don’t want to be taught things that they already know, and (despite what you may think) many of them will remember what they were taught 12 months ago.
- Sequels are seldom as good as the original – we all know that from Hollywood! The original version probably used most of the good ideas for how to present the materials
- If you did a comprehensive job the first time, it probably took each student somewhere between 3 and 6 hours to work through the materials – probably acceptable for the initial training. But do this every year and your CFO will start asking about the cost in terms of time.
- It’s expensive to rewrite a complete and comprehensive training program.
But you still need to update your staff on new developments, and make sure that they remember what you previously taught them. So what’s the answer?
Option 3 – Refresher + New Material + Test on Everything
Over the years, I’ve come to the conclusion that the optimum solution is to:
- Implement a comprehensive new-hire training program.
- Create a new course each year to refresh, update and test the understanding of your staff.
- Update the new-hire training each year with the new topics from the annual course.
Here’s how it works:
- When a staff member is hired or, when you’re rolling out a new program to existing staff, in the first year, you present a comprehensive set of materials (or at least as comprehensive as time will allow, and it’s usually employee time that’s at a premium).
- Each year thereafter, you create a course that does 3 things:
- REFRESH – Briefly reviews all of the topics that you covered in the new-hire training and any previous annual courses.
- UPDATE – Introduce any new security trends that you’re seeing, and highlight any organization-specific problems that have become apparent over the last year. For instance, this year you’d probably want to mention the security problems inherent in social networking applications and, if you’ve had some uninvited guests during the previous year, remind staff to watch out for anyone who’s in an area where they don’t belong.
- TEST – Require the students to do a comprehensive mastery test that includes questions about the topics covered in the new-hire training as well as the new materials that you’ve provided. If you think that students may have forgotten the original materials, you can still make those courses available for reference.
This should meet the needs of most – if not all – regulations for annual retraining.
- Modify the new-hire training to include discussion of the new materials that you’ve covered in the “refresh+update+test” course so that new staff are receiving training on the most up-to-date topics.
In this way, you’ll:
- Reduce the annual retraining to a single course of approximately 45 minutes to an hour (in my experience) – your CFO will be happy!
- Eliminate the cost and hassle of rewriting your entire new-hire training each year.
Note that I’m not claiming that this is perfect and your actual mileage (in terms of real security improvement) may vary. But I believe that the combination of a comprehensive new-hire training program complemented by a “refresh+update+test” course is the best compromise between your ideals as a security educator, and the practicalities imposed by the real world.
