Planning an awareness training curriculum can be challenging – it's something we hear all the time. So, we've made a recommended course plan for the first year of awareness training. Whether you are already a CyberPilot customer, or just looking to get your feet wet with awareness training, we hope our guidance can be useful to you.
Our recommended plan is generally applicable, but we also know that some organisations want to put their own twist on it. But how do you do this properly? Which elements are key to a successful awareness training program and which elements are you free to play around with? In this post, we give you concrete tips for making an awareness training plan specifically for your organisation.
Our recommended course plan for the first year of security awareness training
As you’re getting started with awareness training in your organisation, you might wonder what to train your employees on, and when. It can be a big task to figure out the right plan. At CyberPilot, our learning design experts have made a recommended course plan for the first year of security awareness training.
The plan begins with our starting package, which gives knowledge about some of the most important IT security and GDPR topics. Then, we alternate the following months between our expert-recommended courses and new courses released every other month.
The result? A year-long plan that establishes a basic level of knowledge on various IT security and data protection topics.
By the way, don’t worry if you aren’t already partnering with CyberPilot for your training! We still wanted to share our plan as a source of inspiration – and we hope it can be useful to your own work. The course topics and guidance we give around, e.g., how frequently to do training, can give you some ideas to help you get started, even if you’re doing the training yourself.
Now, here's our recommended security awareness training plan:
| Months | Courses |
|
Month 1 Starting Package |
Awareness Intro Phishing Personal data Passwords |
| Month 2 | New course |
| Month 3 | Protect your work computer |
| Month 4 | New course |
| Month 5 | Taking responsibility for personal data |
| Month 6 | New course |
| Month 7 | Two-factor authentication |
| Month 8 | New course |
| Month 9 | Security breaches |
| Month 10 | New course |
| Month 11 | Updates |
| Month 12 | New course |
Why our plan works
Our recommended awareness training plan is backed by our learning philosophy. We believe that continuous training over time produces the best long-term results. If you’re curious, we talk about this more in our blog post about microlearning.
Spreading training out over time also solves the challenge of overwhelming your employees with too many courses to take at once. Through our years of experience with awareness training, we’ve learned that the magic number of courses is 1-2 courses every 1-2 months. The monthly learning in our recommended plan helps make sure that IT security is always on the agenda.
Our plan also works by providing a basic level of awareness about different topics, and then building on that knowledge over time through repetition. We build elements of repetition into all our courses, so that good digital habits become second nature for our users.
Why we recommend 1-2 courses every 1-2 months
Our courses are designed to take about as long as it takes you to drink a cup of coffee (5-7 minutes). They are short and concise because we want the training to feel like a small, educational break in the workday.
Even though it might be tempting to send out all the courses at once and be done for a while, we do not recommend taking all (or many) of them at once. There’s a few reasons for this:
- It negates the point of continuous awareness training, which is what our security awareness training is all about.
- We humans have short attention spans and memories. It's likely that a few weeks after the training, many employees will have already forgotten some of what they learned.
Instead, taking them regularly over the year helps the information stay fresh in everyone's minds while being a manageable task for employees to complete. It's much more valuable for your employees and your organisation's security to spread awareness training over time.
If you want something more custom for your organisation
Our recommended plan was designed to be generally applicable. But we know that sometimes, you just want to put your own touch on the training plan.
So, we also want to give you some guidelines you can follow when customizing our plan to fit your organisation. Whether you’re making your training from scratch or using our courses, the guidance below can help you figure out how to make a training plan that works for you.
What should you consider when making a security awareness training plan?
The decision about what courses you want to send to your users depends on a few things:
- How active of a role do you want to play in making the course plan and hand-selecting courses? Maybe you want to take a back seat and just auto-enroll users in our new courses that come out every other month.
- What are the security threats your company is most and least likely to encounter? If, e.g., remote work is not possible in your organisation, you can prioritize other courses.
- How many courses do you want your users to get? Based on our recommendation of 1-2 courses every 1-2 months, this could be anything from 6 courses to 24 courses each year- a big difference. Having a general number in mind will help you plan.
Now that you’ve thought about those questions, we’ll give you our tips on designing your own security awareness training plan.
General recommendations for making a course plan
If you want to make your own security awareness training plan, you should begin by looking at our recommended plan and decide if you want to add courses or swap courses for others in our catalogue. If you’re not a customer, don’t worry! Our catalogue and recommended course plan can give you ideas for the important training topics to cover when you’re just getting started. And you can try out our courses for free for 14 days to get a better idea of how our training works.
As you're making your own plan, we recommend that you:
Plan ahead
You should plan at least 6 months ahead. This will help you spread out courses in a thoughtful way and save you the trouble of having to make big training decisions every month. It shouldn’t take too long to plan – no more than an hour or so. And each time you do the plan, it’ll get easier because you’ll have a template to build from.
Keep our recommended course frequency
Even if you’re changing which courses to send out, we recommend that you keep the course frequency of 1-2 courses every month or every other month. There is a lot of wiggle room for you to customize our recommended frequency to fit your organisation. You can send out 1 course every other month, 2 courses each month, and anything in between.
You can see that our recommended plan gives one course per month. We’ve found this to be a good frequency for most organisations, especially since the courses take so little time to complete. You might consider sending out more or less courses than this depending on, e.g., how aware you think your organisation already is, their schedules/workload, and the security risks you want to teach them about immediately.
We release a new course every other month, so that is a natural way to meet our recommended minimum. If you want to give your organisation more awareness training, you can pair this new course with up to 3 more courses over the span of 2 months. Just make sure to:
- Wait at least 2 weeks between courses to avoid redundancy.
- Do not let 3 months go by without sending out a course. This is too spread out.
You can also stray entirely from our recommendation, but we can't vouch for the results. That being said, you know your organisation best. So, you can customize our recommendation to your needs and organizational structure. For instance, maybe there are some months when your colleagues are particularly busy and should only have 1 course. Or maybe you want to plan that they never have to take a course in July when a lot of people are on vacation. The decision is up to you.
Balance building awareness with employees' tasks and attention
It's important to find the right training balance so that employees do the training and take something away from it. If you send out too many courses too often, you risk losing your employees' attention and willingness to do the training. If you don't send out enough courses or there is too much time between them, you risk that the learning goals don't stick how you want them to, since the reminders are too spread out.
This is something you should think about when deciding how many courses your employees should take each year.
Consider your own workload
If you’re in charge of the training, you might also be concerned about how much time it will take you to plan the curriculum and send out courses. You know yourself and how much spare time you have to dedicate to the training.
Maybe you want to take a less hands-on approach. Then you could automatically send out our newest course every other month, and do nothing else. Maybe you want to handpick the course(s) every time, meaning you'll be more involved in choosing when and which courses are sent. That is up to you.
Give spaced repetition of topics
Our courses are designed to be used continuously, allowing users to build awareness over time. Spaced repetition helps learning stick, and it's much easier to remember something if you hear it again a few times. Because of this, the courses have repetitions and taking them all at once can feel redundant.
We recommend that you spread out courses that cover the same topic over time, rather than batching them together. This will keep important security topics fresh in your employees' minds. You should also send out a mix of courses on cybersecurity and GDPR topics to keep awareness high year-round.
For example, if you only talk about phishing at the beginning of the year, your organisation could have already forgotten about it a few months later. You can even have your organisation repeat old courses as needed with current events and security risks.
Consider pairing courses on complementary topics
If you send more than one course out per month, it can be useful to send out complimentary courses. Look at the course catalogue and consider if any courses would be good to pair together. For example, you could send out our courses on two-factor authentication and passwords in the same period, or our courses on protecting your work computer and mobile security in the same period.
Give new courses priority when possible
If it fits with your training goals, it’s a good idea to send out every new course when we release them (every other month). You can do this by filling in the months between with an older course or two. We always recommend sending out our new courses to ensure that your organisation is kept up to date with the latest security risks out there.
A step-by-step guide to making your own awareness training plan
After thinking about the topics above, you’re now ready to get started with making your own training plan. Whether you’re a CyberPilot customer or not, the exercise will help you make a training plan that suits your organisation. So, let’s go!-
First, identify the pain points in your organization - and be specific.
-
Use our recommended course plan as a guide.
-
Keep the frequency and number of courses similar to the recommended course plan.
-
Keep the starting package.
-
Other than that, swap out or add courses as you like.
1. Identify key IT security challenges
First of all, you need to know what you are trying to change. You need to identify the key problems or worries in your organisation that you want the awareness training to help with.
What does your organisation struggle with regarding IT security or personal data? Be specific. Is it paperwork with personal data laying out on people's desks when they leave for lunch? Do they often use free Wi-Fi on their work devices when travelling?
Once you have a concrete overview of what you want to solve, you can select courses that cover those pain points.
2. Use our recommended course plan for the first year as a guide
The key elements of our recommended security awareness training first year plan are the frequency and number of courses you send out.
3. Decide how many courses you want to send out, following our recommendation
We recommend that you send out 1-2 courses every 1-2 months. So, you could send out anywhere from 6-24 courses each year. Decide how many courses you want your users to take and go from there.
4. Keep the starting package
You can swap out other courses in our recommended plan, but we advise you to leave the starting package (Awareness Intro, Passwords, Phishing and Personal Data) untouched. It is meant to be sent out as the first round of courses, so it has been selected intentionally by our learning design experts to get your awareness training off to a strong start. You want to have the Awareness Intro to set the scene for what will happen and why your organisation is doing awareness training. The other three courses are meant to give a short and concise introduction to three of the most basic pillars of IT security and personal data.
5. Customize your course plan to your organisation's security profile
Essentially, you are free to swap out or add courses to our recommended course plan. You know your organisation and if you have identified some key worries in your organisation, that are not covered enough in our suggested plan, then you are welcome to create a new one. We highly suggest that you keep the overall framework (frequency and number of courses), and the starting package as is, but other than that you can definitely create your own plan.
Depending on whether you want to auto-enrol users in each new course every other month, you will have more or less courses to select for your organisation. This is where it's up to you to decide what your organisation could benefit the most from and how many courses you want to give them.
Some examples of deciding what courses to swap out:
- If your organisation has another provider for GDPR-related topics, swap out the GDPR courses (e.g., Protect Personal Data) from CyberPilot and use some of our other courses instead.
- If you are an electricity provider and therefore an essential organisation for your country, you might want to swap one of the recommended courses for the Ransomware course.
- If you struggle with specific IT security problems like social media, then prioritize sending out Hacking on Social Media or Posting Pictures and Videos Online.
Next up, we’ll show you some examples of what a customized awareness training course plan could look like.
Example #1: Customized plan for a company with a focus on sensitive data
The organisation is just starting awareness training for the first time. It's something new, so the IT manager doesn't want to overwhelm their users with a lot of courses to do. They want to start out by using the recommended plan, with some slight adjustments. So they've decided to do one course every month, including CyberPilot's new courses.
The organisation is a small law firm, so they naturally have a lot of sensitive data. The IT manager wants to focus the training on small practices the employees should do to keep that data as safe as possible. Here's a possible plan for them:
| Months | Courses |
|
Month 1 Starting Package |
Awareness Intro Phishing Personal data Passwords |
| Month 2 | Break (they just did 4 courses, let's take a breath) |
| Month 3 | Protect your work computer |
| Month 4 | New course |
| Month 5 | How to handle a phishing email |
| Month 6 | New course |
| Month 7 | Two-factor authentication |
| Month 8 | New course |
| Month 9 | Mobile security |
| Month 10 | New course |
| Month 11 | Updates |
| Month 12 | New course |
Example #2: Customized plan for a recruitment firm that wants to make sure our new courses align with their training priorities
The IT manager at this company can see that CyberPilot already has a wide variety of courses in our catalogue, and they want to take full advantage of that! So, they'll regularly choose if they want to send out our newly released courses or if something from the catalogue is a better fit for that month. To do this, they've made a list of priority courses from the catalogue they can swap a new course for, if they see fit.
They want to send out two courses every other month. They are a recruitment firm, so most of their work is done over email, LinkedIn, and video/phone calls with candidates. These are the areas they want to focus on the most in their training.
| Months | Courses |
|
Month 1 Starting Package |
Awareness Intro Phishing Personal data Passwords |
| Month 3 | New course/course from priority list Social Engineering |
| Month 5 | New course/course from priority list How to handle a phishing email |
| Month 7 | New course/course from priority list Two-factor authentication |
| Month 9 | New course/course from priority list Mobile security |
| Month 11 | New course/course from priority list Video security |
List of priority courses (if not sending the new course that month):
- Email and personal data
- Hacking on social media
- Working from home
- Phone scamming
In conclusion
That’s it for our recommended awareness training plan! We hope that our plan and guidance for making your own training plan helps you get an idea of what topics are important to cover in training, how often you should do training, and what to consider when making a training plan. If you have any questions, please contact us at info@cyberpilot.io.
