You have the right subject matter, and a sound plan for presenting your materials. But, like it or not, cost is a major consideration when putting a security awareness training program in place.
Initial price is often the thing people focus on most, but it’s seldom what causes a program to fail. I’ve seen quite a few awareness programs fail because they just cost too much to run on an ongoing basis.
Here are just three of the ways that I’ve seen awareness training programs fail because they were too expensive.
- Classroom Training for Large Numbers of Students
- Gold-Plated Requirements
- Failure to Include Admin Costs
A few years ago, I came across a consultant who adamantly insisted that the ONLY way to carry out information security awareness training was in the classroom – no matter what the situation, or size of the client.
I’m sure he was right that classroom training is (usually) much more effective in transferring knowledge from the instructor to the students than web-based courses.
However, for any organization larger than (say) 50 employees, or with high staff turnover, the cost of web-based training will be significantly lower than the cost of classroom sessions – some of the potential savings being the elimination of:
- instructor costs
- paper (course handouts, policy documents, signature sheets)
- room costs/rental
- travel for out-of-office participants
With the cost of web-based awareness training for general staff dropping every day (prices of a few dollars per student per year being possible for larger purchases), classroom training is best kept for special situations and audience groups.
All too often, what starts out as a simple and affordable project becomes unwieldy and expensive as requirement after requirement is added.
- You wanted 6 simple web-based courses to be run on a simple, vendor-hosted, learning management system (LMS) so that you can get your US staff trained.
- Your IT department decided that it should be run on an in-house server, and integrated with several of their administrative tools.
- The HR department added the requirement that the LMS should have a built-in web conferencing tool and an employee competency management system.
- The Training department insists that the courses must be ‘interactive’ with Flash animations, and video clips.
- Your VP for International Operations insists that all overseas offices receive the same training, so you’ll need to translate all of it – including all the Flash animations – into 12 different languages.
By the time all this is over, a project that might have cost $5K is looking more like $500K and just won’t happen.
So, when putting together your requirements, ask yourself (and others) – do you really NEED everything on your wish list?
When putting together the budget for an awareness training program, the things that come to mind most readily are:
- For classroom training: trainers (contractors?); classroom rental; printing of materials
- For web based training: course development costs; licensing of content; learning management system license purchase, or rental
Some of the things that frequently slip under-the-radar are account administration costs – most notably the labor required for adding new students and maintaining student lists, technical support – and the time and effort required to generate reports.
This is often the case when an IT or security department is setting up the program and simply assuming that HR will manage the system once it’s in place. And, all too often, that’s not the way that it plays out!
Next post … too much content, not enough time for students.
Previous Posts in this Series