Frequently Asked Questions

Information Security Awareness Training
Security Awareness Training


by Daniel J. Solove

What does the law require for security awareness training for employees?  And, what are organizations currently doing?  What should they be doing?  Below, are your security training awareness answers:

What is the return on investment (ROI)
for security awareness training?

There’s a huge ROI on security awareness training.  A few years ago, a PriceWaterhouseCoopers report calculated the ROI of security awareness training as half a million dollars.

Because most data security breaches involve human error, security awareness training can reduce the risk of having breaches.  Each member of the workforce is a risk.  The more workforce members who are more careful, the lower the overall risk will be.

The cost of a data security breach is very high.  The average cost of a data breach is more than $150 per record.  Thus, a breach involving 50,000 records would amount to $7.5 million on average.  In contrast, security awareness training is quite low in cost. In most cases, training costs less than 1% of what a breach would cost.

Security Awareness Training Plan B

Is security awareness training required by law?

Many laws require security awareness training.

HIPAA. Both the HIPAA Privacy Rule and the HIPAA Security Rule have security awareness training requirements.  The HIPAA Privacy Rule training requirement is at 45 CFR § 164.530(b)(1).  The HIPAA Security Rule training requirement is an administrative safeguard at 45 CFR § 164.308(a)(5).  HIPAA requires a covered entity to train all workforce members on its policies and procedures with respect to PHI. Each new workforce member must be trained within a reasonable period of time after hiring. Thereafter, training must be given whenever there is a material change in policies or procedures. Covered entities and business associates must provide a security awareness training program for all workforce members. This program must include periodic security updates.

Gramm-Leach-Bliley Act (GLBA). The GLBA Safeguards Rule, 16 CFR 314.4 requires employee training. Interagency guidance recommends that organizations should: “Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information.”

Massachusetts’s Data Security Law. Massachusetts’s 201 CMR 17.03 requires training as part of a comprehensive information security program. Training should focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information. Training must be “ongoing” and must be given for not only permanent employees but also temporary and contract employees.

Federal Information Security Management Act (FISMA). FISMA, 4 U.S.C. § 3544, requires that federal agencies establish a security awareness training program. The program must include contractors and “other uses of information systems” that support the agency. The program must address information security risks and each employee’s responsibilities in complying with agency policies and procedures to minimize security risks.


Are there other security awareness training requirements?

In addition to security awareness training required by law, various codes and standards require training.

Payment Card Industry Data Security Standard (PCI-DSS).  PCI-DSS is a code developed by the credit card industry’s PCI council.  PCI-DSS12.6 requires that organizations implement a formal security awareness training program to make all personnel aware of the importance of cardholder data security.  Personnel must be trained upon hire and at least annually.

ISO/IEC 27002. The International Standards Organization (ISO)’s Information Security standard ISO/IEC 27002:2005 is one of the most frequently followed standards by organizations throughout the world. The standard provides guidance on information security management in organizations, and it contains a requirement that all employees receive data security awareness training.

NIST Special Publication 800-53. NIST 800-53 is one of the most relied-upon security standards.  Many federal agencies look to NIST 800-53 to guide their rulemaking and enforcement.  According to NIST 800-53: “Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents.”

How long must the training be?

Most laws do not specify any particular length for security awareness training.  Obviously, training for just a few minutes wouldn’t be sufficient, but training does not have to go on for hours.

A common mistake I see in training programs is that they are often too long and bombard people with a lot of information they don’t need.  The human attention span is very short.  What matters more than time is the content of the training and how effectively and memorably the information is taught.


What topics must security awareness training for employees cover?

Most laws do not specify specific security topics or best practices that training must cover.  The most specific training requirement is the HIPAA Security Rule, which provides that training cover protection from malware and password best practices.

I believe that good security awareness training should cover the following topics:

These are the areas most involved with data breaches, especially phishing and portable devices.

People need to understand broadly that they play a big role in data security.  People need to learn to be more suspicious and to pause and think before clicking.  They know what to do when something seems suspicious.

Security Awareness Training for Employees

How often must training be given?

Laws vary on frequency of the training, with some requiring it upon hiring and others requiring it annually.  In practice, most organizations train all employees at least annually on information security awareness, and I strongly believe that this is the best practice.  Memories fade quickly.  People need to be constantly reminded of what they must do because all it takes is one lapse and there will be an incident.

The HIPAA Security Rule requires a security awareness training program for all workforce members with an implementation specification that the program include periodic security updates.  The Security Rule doesn’t define what “periodic” means or when and how often people must be trained.  Nor does it define what the periodic security updates must consist of.

Security awareness training is essential because humans are the biggest security risk.  The risk is huge, and the costs are huge, so I recommend that organizations train frequently.

What are the consequences for inadequate security awareness training?

First, regulators can issue penalties.  Inadequate training is low hanging fruit to a regulator.  It’s an easy thing that regulators can use to find fault.

Second, inadequate training will result in more data breaches in the long run.  It’s inevitable.  Humans are the greatest security risk.  Training is a way to reduce that risk.  There’s no way to get the risk to zero, but because each person is a risk, the more people that training can educate, then the lower the risk will be.

Related Posts and Resources

Data Security Training Courses
Cybersecurity Resources
Privacy Training and Data Security Training Requirements Guide
Effective Security Training

Security Awareness Training Answers

 Divider 02

About Professor Solove and TeachPrivacy

Daniel Solove Data Security TrainingThis resource page was written by Professor Daniel J. Solove.  Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught for 15 years, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. And, his LinkedIn blog has more than 970,000 followers. Click here for more information about Professor Solove.

TeachPrivacy provides privacy awareness training, security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics.  TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.

Divider 02

Please Contact Us If You Are Interested In Security Awareness Training

We can provide you with a login so you can evaluate the programs. Click here for our catalog.

    First Name

    Last Name




    Phone No.


    Please tell us about your training needs

    Professor Solove’s newsletter covers his latest writings, events, and training. It is sent weekly.
    You can unsubscribe at any time. Click to see a sample issue.
    Would you be interested in subscribing?
    YesNoAlready Subscribed