How much training is enough?
Is there really an answer to this? Does it not depend upon the product and the individual learner?
Quite likely, the only real answer to this question is to determine the amount of training that is necessary by reviewing the corporate security policies and determining what is critical from a security perspective and what is not. Typical physical security training is about a minimum of 40 hours of training per core competency. This however, could be overkill if the individual's role is not that of a physical security officer, but instead is a program or project manager with no responsibility for security within the organization.
The amount of training is typically related to the type of task being performed. With security awareness that is difficult to quantify unless you look at what is critical from a security perspective based on the individual's job role in the organization. Ultimately, security awareness training should be based on the role the individual learner has in the organization and what potential risks/threats that person might encounter. Basing training on the individual's role is a much more precise way to develop effective security awareness training.
