Practice Makes Permanent: Avoiding The Training Forgetting Curve

Despite decades of research about how adults learn, many organizations continue to follow an antiquated model of training design that is counterproductive to their goals.

When it comes to security awareness, reducing risk to the company and your employees is paramount. There is little room for error and inefficiencies, so when an organization invests in security education; it must be effective. In fact, in a single day a person will forget 60 percent of the information a person consumes in a traditional security awareness training program. For most organizations, or in reality all organizations, retaining only 40 percent of something is not just a failing grade, but also a huge risk factor.

There is no doubt that there is a correlation between organizational security vigilance and education and its susceptibility to data breaches. This is the exact reason why the majority of recent data breaches resulted from a phishing attacks. Unless employees retain their security training, the forgetting curve kicks in, and the door for threats becomes wide open.

Short, Focused, and Frequent

At PhishLabs we solve for the common loss of information due to the forgetting curve through the use of microlearnings. These short and interactive modules allow trainees to learn one core concept at a time, while receiving regular information to reinforce new information, and are combined with real-world simulations. In this video we hear from our Senior Instructional Design Specialist, Kimber Bougan, on how the Short, Focused, and Frequent education model is applied to security awareness training programs.



The Forgetting Curve

Have you ever played Simon Says, the game that includes four different colors and progressively requires you to remember an elongating pattern? In just moments you experience the same concept we face when absorbing new information on a regular basis: forgetting. Taking in new information isn’t an easy task, and it’s even more challenging when you’re expected to actually apply that information, not just memorize it.

The Forgetting Curve is an ideal representation of this in motion. Within a day we forget about 60 percent of new information, and after nearly a week we can expect most of it to be gone. Now consider how ineffective and risky this can be for an organization that handles any type of customer information, financial data, or even private company details. That is an excessive amount of risk, and in turn an ineffective security awareness training program.


Here’s a quick comparison of what most training programs have to offer:

  • Security training only offered usually once a year
  • Little opportunity to reinforce the information
  • Nearly 60 percent of information is forgotten within a day
  • Training comes in the form of long videos with numerous topics
  • In worst case scenarios simulations are occasionally used in place of training (don’t do this)

In order to retain information and create real changes to user behavior, a program should consist of:

  • A foundation of training to set expectations
  • Regular or monthly modules
  • Reactive modules when additional training is needed
  • Developed education model with adult learners in mind
  • Modules are highly interactive
  • Modules that focus on a single objective at a time

“Continuously reinforcing these learning objectives in new and engaging ways means strengthening the neural networks that characterize learning,” said Bougan.

On paper the latter may seem more labor intensive, but the reality is even spread out over the course of a year, employees still breeze through information in bite-sized doses and don’t have to spend hours watching videos.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at: