Benjamin Maximilian Berens (SECUSO, Karlsruhe Institute of Technology), Katerina Dimitrova, Mattia Mossano (SECUSO, Karlsruhe Institute of Technology), Melanie Volkamer (SECUSO, Karlsruhe Institute of Technology)
The use of security awareness and education programmes is very common in organisations. But how effective are they over time? Some initial research on this question is, among others, the extensive study of Reinheimer et al. [74] that measured effectiveness at several time intervals. Their research found still significantly better results than before the awareness program after four months, but no longer after six months. This left open a two months interval for the reminder. The contribution of our paper is to study whether the reminder should be closer to four or six months. Thus, we measured effectiveness after five months. With still significant better results than before the programme after five months, we conclude that it is recommended to remind users more towards six months rather than already after five. However, we kindly invite the community to conduct more long-term studies, in different contexts, to confirm these findings.