You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

How Often Do We Need Security Awareness Training?

Once a year? Once a month? Here's the balance...

Your organization is unique. So are your people.

So how often do they need security awareness training?

Once a year? 🤔
Quick test - tell me what you read on this day last year. If you can't remember, assume your employees don't remember any security training content from a year ago!

Yeah, that would definitely move the needle! But that's ridiculous. Let's not even go there.

So there's a balance...
You'd love a perfectly secure environment with people who live and breathe security.
Your executives won't let you (and you don't have time!) to provide weekly training to the team.

You're typically solving for two things with a Security Awareness Training Program:

  1. Creating a secure environment for your team
  2. Satisfying compliance, regulatory and vendor management requirements

Let's take the second objective - Compliance:

When it comes to Security Awareness Training requirements, everything flows down from NIST's CSF (acronym decrypted: that's the National Institute of Standards and Technology's Cybersecurity Framework) guidance for organizations to:

  • provide security awareness training to information system users (including managers, senior executives, and contractors).
  • include practical exercises in security awareness training that simulate actual cyber attacks (i.e. simulated Phishing attacks and quizzes)
  • provide training on recognizing and reporting potential indicators of insider threat.
  • document and monitor individual information system security training activities including basic security awareness training and specific information system security training. (i.e. reporting!)

That's your baseline.
And for additional industry-specific guidance, you can check out our post or hit us anytime with questions at

Ok, back the the first objective above - Securing Your Environment!

This boils down to behavioral elements - how many times does it take to teach each person on your team to be safe online?
(does this remind anyone else of an old tootsie pop commercial... just me?)

"How many licks does it take to get to the tootsie roll center of a tootsie pop?"

We recommend most organizations start with 4 courses per year, ideally quarterly.

Within those 4 courses, you can hit a whole broad array of security topics - and INFIMA takes care of for you!

This balances the challenge of gaining your team's attention multiple times per year with maintaining frequency of key security information.

And if your team wants more training courses or has specific requirements from regulators?

Well, then we suggest bumping up to 6 courses, provided every other month.

In only rare cases do we suggest as many as 12 courses for an organization, and our Onboarding Team plans all of that with you!

Pair it with Phishing Simulations

And then how do we gauge success of the program?

That's where simulated Phishing attacks come into play!

It's key to test your employees continuously on their safe behaviors. You'll want to maintain an active Phishing simulation program - yeah, we do that for you!

And for those unsuspecting "clickers" who put your organization at risk, we provide remedial training opportunities!
Yeah.. we know that no one is excited about remedial training, but we're nearing the end of the article - let me take some liberties!

This is important, so we also created a handy guide to choosing your Security Awareness Training program provider.

Are you ready to take action?
We make it easy to Train your team effectively and easily. Find out how to protect your team with INFIMA's Automated Security Awareness platform.

Start with a quick quote - hit us up here! (No sales call necessary!)

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.