What It Takes To Do Security Awareness Training On Your Own
There are a lot of challenges to working with security awareness training on your own, and it can be hard to predict all of them if you haven’t tried setting it up yourself. A main challenge is not having enough time or resources to create, administer, and maintain a high-quality program on your own. In this blog post, we give you our advice on what it takes to make a successful awareness training program yourself. We lay it all out for you, and in the end, we will also write about what it is that we can help with. Hopefully, this can help you figure out if you want to create your own awareness training or mix it up with some outside help.
Doing security awareness training on your own is harder than most people think
It’s easy to underestimate the amount of work that goes into creating a high-quality awareness training program. But it’s really a huge undertaking. Regardless of whether you do the training online or in person, you’ll have to invest significant amounts of time and money to get it up and running. And then, you have to maintain it.
Sure, you could make a very bare-bones training program. Maybe it will consist of a few documents for your employees to read, or a PowerPoint presentation you give at an organisation-wide meeting.
But do you think it would work?
Sure, this would get the information out there, but the best learning research says that it won’t lead to a change in behavior or high long-term levels of awareness. The training could help you check a box for compliance, but it probably wouldn’t reduce the likelihood of a security incident in your organisation.
We recommend focusing on high-quality training
At CyberPilot, we believe in security awareness training where long-term learning, awareness, good digital habits, and a strong security culture are the focus.
We think you should too if you want to increase your organisation’s cyber resilience.
Your training should give your users the very best chance to learn good digital skills and protect your organisation from security threats. There are plenty of benefits from security awareness training.
To achieve the best long-term learning outcomes, we recommend that you make it interactive, engaging, and ongoing. Creating microlearning moments and making training material that requires user participation are some ways you can do this. For some other ideas, we’ve written out 11 tips to succeed with security awareness training.
So, now that we have our sights set on quality training, let’s dive into what it takes to create a continuous, engaging training program.
First, you need a digital platform to support your training
It's time-consuming and expensive to do in-person training, so many organisations opt for online training. It's more convenient for the employees and the training administrator that way, especially in a larger company where it can be difficult to get everyone together. Online training also has the benefits of tracking completion and allowing users to do the training when it’s convenient for them.
Doing awareness training digitally requires a platform where you can both send out courses and follow up on the results. So, you’ll need an LMS for administering the training.
- A popular Danish LMS system, Activate LMS, starts at €1,600 per user per year with additional costs for the LMS to be created, branded, and to allow single sign-on. If you’re buying it for the first time, it’ll cost an extra €1,350 for the LMS to be created and set up for you.
You’ll also need a tool for creating courses
Having the LMS is the first step, but it won’t be much use if you don’t have any training materials to send out. So, you’ll probably buy an authoring system that can help you build quality e-learning courses.
- The most widely used authoring tool, Articulate, runs for about €1,050 for one user each year.
So, with the LMS and the authoring tool, your first-year annual cost starts at about €4,000 for one user. But you probably need more than one user so the cost will quickly increase.
Creating good courses isn’t a no-brainer
With an authoring tool, you might think making the training material will be easy. It’s definitely easier to create quality e-learning courses if you have the tool. But making good material that communicates a topic well, is visually engaging, and gives you the ability to test learning outcomes is hard.
Let’s face it – most IT managers aren’t experts in communication or learning design. And that’s ok! This is all to say that the tools are just technology that can support you – but they can’t do all the hard work for you.
And then you’ll have to make the courses, continuously
To give you an idea of what it takes to make a good course, we’ll tell you how we do things at CyberPilot.
We actually spend at least 100 hours making just one 5-7 minute course. That's a huge investment! It might seem like a lot, but when you think about how long it takes to come up with and execute the content for all the different parts of the course, it starts to add up. This doesn’t even include the rounds of feedback and edits to make sure you’re communicating at your users’ own level.
To keep the training continuous, you’ll have to create courses again and again. We recommend giving your employees 1-2 courses every 1-2 months to build and maintain awareness.
Of course, we also make our courses for thousands of people, so we take time to ensure they’re of excellent quality. If we only made the courses for our own company, it might take less time than 100 hours per course.
We could make a conservative estimate that it might take somewhere between 15-40 hours per course, depending on the amount of research you do, the quality of the course, and the time spent incorporating feedback. The first couple of courses will take longer to make, as you’re learning how to use the LMS and authoring tool.
What could it cost for an average company to make their own courses?
Time to do some math.
If you make the minimum number of courses, one every other month, that’ll be 6 courses per year. Let’s say the salary of the person making the courses is €27 per hour (this is a low salary estimate, as the average hourly salary in Denmark is €36). At our conservative estimate, 6 courses could take between 90-240 hours per year just to make. This comes out to a salary of about €2,400-€6,500 per year to make the courses.
So, with the LMS, authoring tool, and labor, now the cost of making the courses yourself is a minimum of somewhere between €6,400 and €10,500 per year for just one user.
You should make a learning curriculum that balances repetition with new information
Part of a successful awareness training program is the course curriculum. Just like you can’t start out with advanced calculus when you’re learning math, you need to provide foundational IT security knowledge before you can dig into the more complicated stuff. There are so many topics that are important for your colleagues to know about, and if you’re using our recommended microlearning format, you can’t pack all there is to know about a topic into one course.
So, you should plan to start out with the basics. From there, you can build a curriculum that repeats key skills while providing new knowledge.
It’ll be helpful for you to spend some time figuring out the right curriculum at the beginning, so you know what topics your training should cover now and where you want it to end up.
This can take a couple of hours when you’re getting started.
Creating the training is only the first step
After you’ve created a training course, you have to communicate about the training to your office so everyone is on board. You also have to administer how and when your courses are sent out, and follow up with any of your colleagues who haven’t done the training.
We also recommend that you actively seek input and feedback from your organisation on the training, so you can make sure to improve with each new course you create. Getting user feedback will also make your employees feel they are a valuable part of the training, which is a good thing.
So, every new course you send out will require at least an hour or two of communication work alone.
At the same salary of €27 per hour, that comes out to about €160-€320 per year for managing the training.
All things considered, the cost of making and administering the training yourself is now a minimum of somewhere between €6,560 and €10,820 per year for one user.
But you probably need more than one user
Let’s make the example more realistic. Say you have a company of 100 employees who all need to take the training. To keep things simple, we’ll assume that you only need one administrative user for the LMS and authoring tool.
Activate LMS charges an additional €8 per year for each 100 users. So, the LMS price is now €3,750 for the first year, and with the authoring tool, the cost of tools would be €4,800 per year.
With the €27 per hour salary for the creation and administration of 6 courses, the labor would cost about €2,575-€6,760 per year.
The total cost would be somewhere around €7,375-€11,560 per year. And this is for the bare minimum of 6 courses per year.
It’s an ongoing process
The steps we’ve taken you through for planning, creating, and administering awareness training must be done continually. So, you’ll have to keep creating new courses while following up on the training you’ve already sent out.
If it’s just you in charge of the training, your time can quickly be consumed by these tasks. You might find that you need to hire someone else to get everything done with the training plus your other IT security tasks. This is something you’ll have to consider when you’re planning out the resources it will take to create and maintain an effective awareness training program.
It comes down to time spent creating the program and time spent managing it
It can be helpful to divide the awareness training into two categories: the time spent creating the training and the time spent managing it. The creation part is where the bulk of your time will be spent if you do it yourself. Here, you’ll come up with the topics you want to train your employees on, the level of knowledge you want to create, and the learning philosophy you want to follow. And then, you’ll put it all into action by creating great training material for your colleagues.
The managing part is going to take you much less time. You’ll just have to decide when to send out courses (and who gets what courses), communicate about the importance of the training, and then follow up on incomplete training when needed.
What you should consider when deciding to do it yourself vs. getting outside help
It’s a lot of work to do by yourself, but it’s not impossible. We encourage you to be realistic about how much time you can dedicate to awareness training if you keep doing all your current tasks.
- Do you have enough time and resources to get it all done?
- Does your budget allow you to purchase the required tools? What about hiring another teammate to help with your other tasks?
- How much do you already know about training best practices?
- How many courses can you realistically make each year? Is that enough?
- What other tasks could slip through the cracks?
- Will you be able to maintain a long-term training program?
These are just some of the questions you should ask yourself. Then, you’ll be in a better position to decide if you want to do the training on your own or get some outside help.
Of course, there's another way.
We can do 90% of the awareness training work for you.
Our security awareness training can do almost all the work for you
CyberPilot’s awareness training solves a lot of the above challenges. We completely take care of the time, software, and expertise needed to create good training. We have the e-learning platform, dozens of ready-made and top-quality courses, plus a training plan for you to follow.
All that’s left for you to do is communicate why the training matters and send personalized follow up to ensure the training is being prioritized in your organisation.
Remember our conservative cost estimate for creating and managing the training yourself for 100 employees: somewhere between €7,375-€11,560 per year.
With CyberPilot’s awareness training, the total annual cost for 100 users is €5,504.
We’re not saying that doing the training yourself is a waste of time and money, but why not at least try our courses and see what you think?
We fully take care of all the work needed to create a training program
Using CyberPilot’s courses and platform straight out of the box immediately takes care of about 90% of the work needed to run an awareness training program.
- Our training platform keeps everything you need in one place with tools to easily send out courses, track completion, and follow-up
- We have learning design experts – so you don’t have to be one
- You get dozens of ready-made courses with a new course released every other month
- It’s easy to follow our course curriculum, which tells you when to send out which courses
-
Our platform makes it easier for you to plan and schedule your phishing campaigns months in advance.
With CyberPilot, you put in 10% of the training work, instead of 100%
If you decide to switch things up and work with a security awareness training provider like us, you'll only be responsible for doing some of the work around administering and managing the program. These are the tasks that need your human touch, like working to improve organisational security culture. They can't be successfully automated, and are best done by someone with knowledge of and leadership within your organisation.
All that's left is following up on the training when needed and working to promote a strong security culture in your organisation. This is about 10% of the work. Even though you’ll have to do this yourself, our customer success managers will be there with you every step of the way to help you succeed.
You could be left with just having to spend 1-2 hours per month on training
We want to make training as easy as possible, so we only give you tasks that need your touch for the program to succeed. Most of our administrators spend no more than one or two hours each month on awareness training.
So, getting outside training helps give our customers tons of hours back in their day to focus on other tasks. And they can rest assured that their organisation’s training is in good hands.
See what our customers say about our awareness training.
In conclusion
We hope this post has helped you get an idea of what it takes to do security awareness training on your own. We know it can be a lot of work, but that’s also what we’re here to help you with. If you’re interested in learning more about what goes into a successful awareness training program, contact us at info@cyberpilot.io.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.