How Often Should Security Awareness Training Take Place?

April 2026

"Once a year" is the answer most companies give. It is also the answer that works the least. Research is clear: knowledge that is refreshed once a year is largely forgotten after three to six months.

But "one hour of mandatory training every month" is just as unrealistic for SMEs. The question is: what is the optimal compromise between effectiveness and effort?

What Regulation and Standards Recommend

NIS2 speaks of "regular" training without specifying a concrete interval. In practice, "regular" means at least annually — but auditors will ask critical questions about whether one training per year is sufficient.

ISO 27001 likewise recommends at least annual training, supplemented by event-driven training when new threats emerge or after security incidents. Germany's BSI IT-Grundschutz goes one step further and recommends a combination of regular and situational measures.

The ENISA guidelines emphasize that awareness is not a one-off event but a continuous process. Training should use different formats and be distributed across the year.

What the Research Shows

The Ebbinghaus forgetting curve shows that newly acquired knowledge decays exponentially without repetition. After one month, about 80 percent is forgotten. For security awareness this means: an annual training has, at best, three to four months of effect.

Studies on phishing simulations confirm this pattern. The click rate rises noticeably after a training if no repetition takes place. Companies that run regular simulations over a twelve-month period achieve significantly better results than those with a single campaign.

The optimal rhythm according to research: one baseline training plus at least four "touchpoints" per year — whether through short refreshers, phishing simulations, or event-driven communication.

A Workable Training Plan for SMEs

A realistic annual plan for an SME with a limited time budget looks like this:

In the first month, all employees complete the baseline training on the core topics: phishing, passwords, social engineering. Duration per person: 45 to 60 minutes. This can be completed flexibly over two to three weeks.

In months three to six, the advanced training follows: mobile working, physical security, AI risks, clean desk. Again flexible, in short modules.

Spread across the entire year, four phishing simulations run — unannounced, with different templates. Every simulation is a learning moment: whoever clicks gets immediate feedback. Whoever reports gets confirmation.

Event-driven short communications are added: after a real phishing attempt at the company, when new scams appear in the media, or after a security incident.

New Employees — Onboarding Training

For new employees, security awareness should be part of onboarding — within the first 30 days. They start with the baseline training and are then integrated into the regular annual rhythm.

The first weeks are the highest-risk phase: new employees do not yet know the internal processes, cannot distinguish real from fake internal emails, and are particularly susceptible to social engineering.

The Rule of Thumb

Once a year is the minimum for compliance. Four times a year is the minimum for effectiveness. The combination of an annual baseline training and quarterly phishing simulations is the most workable approach for SMEs — with the best ratio of effort to results.

Start now: baseline training plus ongoing phishing simulations. Learn more in the free security awareness training.

Start for free →