Moving from once-a-year training to a year-round microtraining format is one of the most effective ways to drive engagement and behavior change. It’s also backed by well-established learning science: people retain information better when lessons are spaced out over time, and habits form more reliably through repetition, not one-off exposure.
Still, building your first yearly security awareness program can feel daunting. In this article, we outline a foundational annual training structure with category and module recommendations, so you can quickly launch a program that strengthens your organization’s security culture.
Build the Optimal Cadence
Our data shows that approximately 32 microtrainings per year is the ideal frequency for most organizations. This cadence strengthens awareness quickly while helping people maintain new behaviors over time. It also forms a stable backbone for your annual security awareness plan.
From there, we recommend layering in themed campaigns that tie security behaviors to moments already recognized across the industry, such as:
- Data Privacy Week
- Cybersecurity Awareness Month (October)
- Company-specific initiatives tied to internal goals or regulatory changes
These campaigns create natural peaks in awareness and offer opportunities for targeted communication, leadership involvement and cross-functional engagement.
Organizations with more advanced programs — or those operating in highly regulated environments — can add role- and risk-based training on top of the core 32-touch plan. But if you’re just getting started, begin with the foundational microtrainings. Establish the basics, observe early results and then refine from there.
Choosing the Right Topics (Categories)
For organizations launching their first structured program, or onboarding new users into Hoxhunt, we recommend starting with Security Awareness Essentials category. These modules introduce the fundamental skills everyone needs, including password security, phishing reporting and secure browsing.
These topics create a well-rounded awareness baseline across your workforce. Training modules for each category can be found in the Hoxhunt Security Awareness Training (SAT) library.
Quarterly Topic Recommendations
After establishing the essentials, you can shape your annual plan around broader quarterly themes that deepen understanding and reinforce behavior change.
Q1: Categories "Security Awareness Essentials" or "Onboarding New Hoxhunt Users"
Modules:
- Welcome to Hoxhunt
- Getting Started with Hoxhunt
- Reporting a Ransomware Attack
- Reporting Phishing (Outlook or Gmail)
- Creating Strong Passwords
- Multi-factor Authentication
- Browsing the Internet Securely
- Data Handling and Labeling
- Keeping Devices Updated
Q2: Category "Device Security"
This quarter focuses on the importance of maintaining secure devices — laptops, desktops and phones — which remain primary entry points for attackers.
Modules:
- Device Security: Backups
- Device Security: Restarting Devices
- Device Security: Data Storage
For mobile users:
- Device Security: Limit Rights of Mobile Apps
- Device Security: Mobile Security
Q3: Category "Social Engineering"
Modules in this category help employees recognize the tactics attackers use to manipulate trust, urgency or context — the core of human-targeted attacks.
Modules:
- Social Engineering: Credential Harvesters
- Social Engineering: Hovering Over Links
- Social Engineering: Visual Deception
- Social Engineering: Checking Emails Before Forwarding
- Social Engineering: Authority
- Social Engineering: Pretexting
Q4: Categories "Privacy" and "Information Handling"
This quarter connects awareness back to data governance, compliance requirements and everyday information-handling decisions that carry significant risk.
Modules:
- Privacy: Introduction to Personal Data
- Device Security: Shadow IT
- Privacy: Externally Shared Files
- Privacy: Collecting Personal Data
- Privacy: Using Personal Data
Additional module for Microsoft environments:
- Privacy: Microsoft Teams — External Contacts
A Sustainable Path to Behavior Change
After running this program for a year, we recommend gathering insights through a short employee survey. Consider asking how confident people feel in their security knowledge, how they perceive their role in protecting the organization and what training categories they would like to explore next. This feedback not only builds engagement but also helps you refine your second-year program.
An annual program built on microtraining, spaced repetition and role-relevant topics creates a continuous learning journey. It helps employees internalize strong security habits and apply them instinctively. By selecting the right frequency, choosing meaningful themes and building on a solid foundation, you can develop a program that is both manageable and measurably effective.
Recommended reading
- Introduction to Security Awareness Training
- Best Practices for Using Hoxhunt Security Awareness Training (SAT) Packages
- Security Awareness Training (SAT) module recommendations