Spitzner also recommends avoiding monolithic, hours-long training. Instead, he says, take a modular approach to topics. The modules could be as short as three to five minutes. Primary training should consist of a mix of short videos and onsite training, with newsletters and even sanctioned phishing assessments for reinforcement. Facebook feeds, twitter feeds, posters and flyers can also play a role. It's important that employees receive primary training once a year and then reinforcement through continuous touching throughout the year, Spitzner says.
Finally, the program requires metrics that measure employee engagement with the program and how their behavior changes as a result. The program should be reevaluated and updated at least once a year based on the metrics.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at email@example.com
Read more about security in CIO's Security Drilldown.