How long should security training last? Short version: shorter than you think. A module of four to eight minutes lands demonstrably better than an hour-long session, and a year cycle of twenty to thirty minutes total is almost always enough. But the real question is not 'how long' but 'how distributed' and 'how relevant'. What works, what does not, and where are the upper limits?
Why shorter demonstrably works better
Research on learning retention has pointed the same way for years: short modules spaced over time (distributed learning) yield more lasting knowledge than one long session (massed learning). For security awareness it also has to drive behaviour, not only knowledge: the employee must have the right reflex at the right moment. Repeated short moments serve that better than one deep dive.
Practical: a six-minute module on phishing recognition followed by a quarterly simulation produces a lower click rate after a year than a yearly sixty-minute module covering everything. The difference is not in content but in landing time: the short module gets completed and briefly revisited; the long one is skim-read or click-through.
Cognitive load also matters. Twenty minutes of concentrated attention on a topic the employee does not find inherently interesting is the upper limit. Above that, intake drops sharply. Seven-minute modules sit well inside the limit and hold attention.
Reference times per module type
Workable lengths per training type:
- Microlearning module (one theme): 4-8 minutes. The workhorse of the year programme.
- Annual base training (compliance): 20-30 minutes total. Split into four to six microlearning blocks spread across weeks. GDPR, AUP acceptance, Cbw basics, AI literacy.
- Role-based deep-dive: 8-15 minutes. A little more room because the content is directly relevant.
- Board training under Cbw art. 24: 45-60 minutes annually plus two tabletops. Different audience, different cadence; board members expect deeper substance.
- Onboarding for new joiners: 15-25 minutes in the first week. Divided in two to four sessions.
- Phishing simulation plus on-click microlearning: max 2-3 minutes. The simulation is near-instant; the microlearning after a click must be short and concrete.
What is too long and what is too short
Two extremes the practice often falls into:
Too long: one yearly hour or more for everyone. Result: high admin completion, low behaviour retention.
Too short: one or two minutes without real learning content. Result: employees feel they learn nothing; the programme loses credibility. Below four minutes you might as well not offer a module.
Six to ten minutes per module is the sweet spot for most organisations.
How DORA, Cbw and AI Act handle duration
No legal framework specifies how long training must last. What the law does ask:
DORA article 13 asks for "regular" training with measurable effectiveness. Supervisors read this as at least 30 minutes formal annually plus demonstrable behaviour evidence.
Cbw article 21 asks for awareness and training as part of policy. No specific duration; demonstrable regularity and effectiveness count.
Cbw article 24 (board training) asks for periodic training; 45-60 minutes annually plus tabletops is accepted as duty of care.
EU AI Act article 4 asks for AI literacy without specific duration. A six- to eight-minute module suffices.
Common thread: demonstrability counts more than absolute duration. A short module everyone completes and that drives behaviour change weighs more than a long one half do not finish.
How to anchor this in an awareness programme
A workable year cycle with realistic time burden:
Onboarding: 15-25 minutes in the first week, two to four blocks.
Monthly: one microlearning module of 4-8 minutes. Annual total 48-96 minutes across 12 blocks.
Quarterly: one phishing simulation (minimal extra burden) plus on-click microlearning (2-3 minutes).
Six-monthly: a role-based deep-dive of 8-15 minutes for risk groups.
Annual: a formal compliance base of 20-30 minutes.
Board: 45-60 minutes formal plus two tabletops of one to two hours per year.
Total burden for an average employee: about 1.5 to 2.5 hours per year in short blocks. Risk roles add 20-40 minutes; board members 2-4 hours. Demonstrably enough for both compliance and behaviour change.
See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.
View the training pageRelated articles
- Microlearning for employees with limited time
- How often should employees take security training?
- Which topics should a security training cover?
- How do I make security training engaging?
Sources
FAQ
How long should a module last?
Four to eight minutes per microlearning module. Longer than ten minutes attention drops; shorter than four minutes no real learning lands.
How much time per year in total?
Most employees 1.5 to 2.5 hours per year across twelve microlearning blocks plus annual base. Risk roles 20-40 minutes extra; board members 2-4 hours.
Is one annual hour-long training not more efficient?
Administratively it seems so, but behaviour metrics show the opposite. One long session lands worse than twelve short ones across the year.
What does the law say about duration?
No framework (Cbw, DORA, AI Act, GDPR, ISO 27001) names specific duration. Demonstrable regularity and effectiveness weigh more.
How long for onboarding?
15-25 minutes in the first week across two to four blocks.
How long for board training under Cbw art. 24?
45-60 minutes formal annual plus two tabletops of one to two hours per year, accepted as duty of care.
What if employees ask for longer or deeper modules?
Offer optional deep-dives without making them mandatory. Voluntary uptake is a strong signal of resonance.
External source: NIST - Security awareness and training