The short answer: Ideally, training should be continuous. At a minimum, organizations should conduct formal training annually, but supplement it with monthly updates to be effective.
The Forgetting Curve
Why Annual Training Fails
Research shows people forget 70% of new information within 24 hours if not reinforced. By month 6, that annual training session is a distant memory. Consistency beats intensity.
Recommended Cadence
1Onboarding
Day 1-30. Comprehensive training on policies and tools.
2Monthly
Micro-learning (2-5 mins) on specific topics like 'Holiday Scams'.
3Simulations
Monthly phishing tests. The sweet spot for vigilance without fatigue.
4Annually
Formal refresher course dealing with compliance updates.
5Ad-Hoc
Just-in-Time training triggered immediately after a user fails a test.
Factors Influencing Frequency
Compliance: PCI DSS requires training upon hire and annually
Risk Level: Finance/HR need more frequent touchpoints
Turnover: High turnover requires continuous onboarding loops
Key Takeaway
"Think of training like exercise. You can't go to the gym once in January and expect to be fit in December. Consistency is key."
