19 January 2024
Significance of the forgetting curve in security awareness
The forgetting curve by Hermann Ebbinghaus (1885) is a true classic. Ebbinghaus is after all one of the founding fathers of experimental psychology. Even today, the theory holds up (Murre & Dros, 2015).
The curve illustrates how newly learned information fades from our memory. Most knowledge is forgotten shortly after learning. This is particularly relevant in the world of cybersecurity training, where retaining information can literally mean the difference between staying safe or being vulnerable to attack again.
How can you take this into account in your learning program?

1. Frequency of repetition
To counteract the effects of the forgetting curve, regular repetition is important.
That means your curriculum should include regular updates and repetition training to keep knowledge fresh and applicable.
2. Practical application
Applying lessons learned in realistic scenarios helps reinforce memory. Simulations of phishing attacks or setting passwords securely are part of an effective program.
Any kind of repetition improves retention of knowledge.
3. Engagement & Interactivity
Use interactive elements such as quizzes and skill games to keep participants actively engaged. Different forms of practice increases the likelihood that they will remember and apply the information.
4. Personal relevance
Make content relevant to participants’ daily activities by making learning interventions relatable and personal.
When they see how cybersecurity affects their work and personal lives, they are more likely to pay attention to the learning resource. And the more time someone interacts with the content, the more likely a piece of information will be remembered.
5. Enough time between repetitions
To make a memory stronger in the long term, there must be enough time between repetitions. If newly learned information is repeated too soon, the memory is still too fresh and the repetition will contribute less to strengthening the memory. If you want to reproduce something one year after the moment of learning, the ideal interval between repetitions is 21 days (Cepeda,Vul, Rohrer, Wixted, & Pashler, 2008).
By taking into account the forgetting curve, you ensure that your security awareness program not only informs, but actually changes behavior for the good of a mature security organization.
Would you like to know more about our approach? Find out all about Wave.
References
- Cepeda, N. J., Vul, E., Rohrer, D., Wixted, J. T., & Pashler, H. (2008). Spacing effects in learning: A temporal ridgeline of optimal retention. Psychological Science, 19(11), 1095-1102. DOI: 10.1111/j.1467-9280.2008.02209.
- Ebbinghaus, H. (1885). Über das Gedächtnis. Leipzig: Dunker.
- Murre J. M. J., & Dros, J. (2015). Replication and Analysis of Ebbinghaus’ Forgetting Curve. PLoS ONE 10(7): e0120644. https://doi.org/10.1371/journal.pone.0120644