Large, Detailed, Long Security Awareness Training… Worthless – A Case Study

Security awareness training is a common component of many businesses big and small. Throughout my career I have taken so many courses I can’t count, most of them are forgettable and all of them are basically the same. In addition to completing training for employers where I was a direct employee, I also required from time to time to complete training at other companies I am performing services in.

Why? The company’s compliance requirements say so, regardless. Check the box.

This is a common fault of most security awareness programs that I have seen and participated in. The course content is built to appease compliance and the purpose is lost. This makes the materials bloated, off the mark and has the people taking them to do what they can to finish it as quickly as possible. The content is not paid attention to. The materials are not retained. The program has been rendered worthless to provide any true value.

I recently was put into a situation where I was required to complete a security awareness program because of my proximity to an organization’s environment. The content was over 2 1/2 hours long across many different modules. I eventually compiled as the group was being audited by their compliance arm and I had not checked the box.

The content covered the basics of security awareness and touched specific areas of data handling that pertained to the industry of the company. As I went through the first course I realized what this was, an ineffective program.

This was your typical presentation, voice over style ‘training’. I can read faster than listening to a voice read it to me but I was blocked from advancing until after a set time when a continue button would appear. Every single page in every module was like this. I was forced to sit and wait.

When I reached the end of the first module I was presented with a quiz. I listened to the entire module and answered the questions. I did fat finger one question, which it counted as wrong, but I couldn’t advance without the correct answer. I selected the correct one, proceeded to the end and it said I got 100% on the quiz. I did not technically, but whatever.

Here is where I shifted my behavior to what I assume most people who take this did. (I know because I asked several that did). I rapidly clicked on the corner where the button would appear to advance. Then selected the answers of the quiz until I ‘passed’. This was repeated for the remaining 6 or 7 modules left.

All the modules had green check marks as completed. I met the compliance requirements, but was the program effective for anyone taking it or for the business. The answer is no.

This approach may have worked in the past but the culture changes. New studies are conducted. New analysis is completed to to help identify better ways to get employees to learn, retain and grow in their traininig.

Micro-learning has been growing in popularity over the years and my own Security In Five podcast’s show format is based on the formula. Short, single topic episodes that are to the point. No filler. No goofy scenario stories. Nothing but the content you need in the time you can consume it.

Security In Five partnered with Wizer Training to help provide micro learning security awareness programs to individuals and businesses, but do it 100% FREE.

At no cost to you, now and forever, you can sign up and start consuming more security material in shorter time.

Having consumable material that people will actually watch, retain and enjoy consuming will make your program stronger than with hours of materials people will find ways to skip, speed through and check the box to complete it.

Sign up here to get started –


Be aware, be safe.

Please follow and like us:
Pin Share
Previous post Epiosde 602 – IoT Strikes Again – How To Tell Google Home To Stop Remembering Everything
Next post Episode 603 – Microsoft and NIST Partnering On A Patching Guide

Enjoy this blog? Please spread the word :)

Follow by Email