Back to Training component
Capability TR.10

Training Updates and Lessons Learned

"Training and awareness programs are updated on a regular basis and incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques"

This capability evaluates whether the organization has the ownership, process, evidence, training content, workflow integration, and oversight needed to manage this area of insider risk.

Scope & Context

What This Capability Means

Training Updates and Lessons Learned assesses whether the organization has a defined, repeatable, and evidence-supported approach to this training capability. This includes the policies, roles, workflows, systems, data sources, training artifacts, recordkeeping practices, and oversight needed to make the capability operational.

Strategic Importance

Why This Capability Matters

This capability matters because training is often the control that connects policy expectations to daily workforce decisions. Weaknesses can create blind spots in Training & Awareness, Governance & Oversight, Incident Detection & Response, delayed reporting, inconsistent conduct, and weak evidence when leaders need to explain readiness. A mature capability helps the organization move from completion tracking to defensible, risk-informed behavior change.

AI & Automation Context

AI-related incidents, policy updates, and emerging misuse patterns should trigger training-content review. AI-generated training materials should be version-controlled, reviewed, and approved before publication.

Capability Assessment

Weakness vs. Maturity Indicators

Signs of Weak Capability
  • Training is generic, optional, stale, or disconnected from insider-risk scenarios.
  • Roles, owners, timing, and escalation paths are not clearly documented.
  • Completion, attestation, testing, and exception evidence is incomplete or scattered.
  • High-risk users, privileged users, third parties, or role-specific audiences are not differentiated.
  • Lessons learned from incidents, policy changes, and emerging AI-enabled tactics are not reflected in the curriculum.
  • Leaders cannot connect training gaps to risk, roadmap actions, or measurable program improvement.
Signs of Mature Capability
  • Post-incident RCA triggers content review within 30 days.
  • “What-went-wrong” mini-modules pushed to affected groups.
  • Change log maintained; version notes visible in LMS.
  • The capability has a named owner, documented process, defined audiences, and clear policy support.
  • Training is role-specific, scenario-based, and reinforced through testing, simulations, or periodic communications.
  • Training records, attestations, scores, exceptions, and version history are retained and auditable.
  • Content is reviewed after incidents, policy changes, threat changes, and AI-related workforce behavior changes.
Governance Guidance

Questions Leaders Should Ask

Question 1

Who owns TR.10, and do they have authority to update content, enforce completion, and report gaps?

Question 2

Which workforce segments, roles, third parties, or privileged users are in scope?

Question 3

What evidence shows the capability is operating as designed, not merely documented?

Question 4

How are exceptions, overdue training, failed assessments, and high-risk cohorts escalated?

Question 5

How are AI-enabled threats, AI-use expectations, or AI-generated training content reviewed and governed?

Question 6

How does this capability connect to roadmap actions, risk register items, and executive reporting?

Defensible Program Artifacts

Evidence Examples

Evidence Type

Training policy and procedures

Evidence Type

Curriculum outline and course materials

Evidence Type

LMS completion records and transcripts

Evidence Type

Attestations or acknowledgements

Evidence Type

Quiz, simulation, or testing results

Evidence Type

Exception and escalation records

Evidence Type

Version history and content review logs

Evidence Type

Leadership reporting or KPI dashboard

Evidence Type

Incident lessons-learned updates

Evidence Type

Policy-change content review records

Regulatory Context

Mapped Standards and Framework References

Standard / Framework ReferenceHow It Relates to This Capability
NIST 800-53, r5 (3.2, AT-2)Reference mapping for TR.10; validate applicability based on workforce, legal, privacy, data, and operational context.
Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
RiskTKO® Bridge

How RiskTKO® Operationalizes This Capability

Assessment evidence

Policies, training materials, LMS records, attestations, testing results, workflows, or records used to evaluate current capability.

Risk evidence

Risk register items or exposure narratives connected to training gaps, workforce readiness, AI-use expectations, or role-specific obligations.

Roadmap evidence

Recommended actions, owners, milestones, dependencies, completion status, and training improvement records.

Executive evidence

Summaries showing current state, progress, remaining gaps, training effectiveness, and risk reduction over time.

Assess, Prioritize, and Report with RiskTKO®

Protecting proprietary logic (scoring, weightings, and roadmap generation formulas) remains inside the software layer. RiskTKO® provides your team with the complete operational dashboard to evaluate this capability, document evidence, track actions, and deliver clean, executive-ready maturity metrics.