ELI5: What is Training Frequency?
You wouldn’t practice piano once a year and expect to play well. Security training works the same way — you need it when you start, and then regular refreshers so you don’t forget what you learned.
Definition
Training frequency refers to how often security awareness training is delivered to employees. Security awareness training should begin at onboarding (before employees access systems), with regular refresher training thereafter. Industry best practice and most regulatory frameworks require training at minimum annually, though quarterly or more frequent short-form training (microlearning, security newsletters, phishing simulations) is recommended to maintain awareness and address emerging threats between annual training events.
Key Details
- Onboarding: all new employees complete security awareness training before or immediately after starting work
- Annual: the regulatory minimum required by most frameworks (HIPAA, PCI DSS, NIST)
- Quarterly (or more frequent): best practice; short microlearning modules, phishing simulations, and security tips maintain ongoing awareness
- High-risk roles (privileged users, finance staff, executives) should receive more frequent, targeted training
- Training records (completion dates, scores, acknowledgments) must be maintained for compliance evidence
Connections
- Parent: security-awareness-training — training frequency determines how sustained and effective the awareness program is
- See also: role-based-training
- See also: metrics