Spaced repetition

Spaced repetition is a learning technique in which material is reviewed at progressively longer intervals — typically minutes, then hours, then days, then weeks — to exploit the way long-term memory consolidates. Each successful recall flattens the forgetting curve for that item, so the next interval can be longer without losing the knowledge.

The technique has been formalized in algorithms used by language-learning apps (SuperMemo’s SM-2, Anki, Duolingo) and in classroom settings via the Leitner system. Applied to security behavior, it replaces the “one annual training, hope it sticks” model with a continuous, lightweight schedule keyed to each learner’s actual recall performance.

Defining properties:

• Adaptive intervals. Items the learner got right move to a longer interval; items they got wrong reset to a short one.
• Per-item scheduling. Two employees who took the same course end up on different schedules a week later, because their recall performance diverged.
• Short events, many of them. A spaced-repetition program is built from 30-to-90-second checks, not 30-minute modules.
• Outcome-measurable. Because each recall event is a logged success/failure, you get a behavioral retention curve rather than a completion certificate — a much better signal for auditors.

For a CISO, the value is twofold. First, retention actually holds: the literature consistently shows 2-3x retention gains over massed (one-shot) training. Second, the schedule produces behavioral evidence — a per-employee log of what they remembered, when, and how reliably — that maps cleanly to SOC 2 awareness controls and to NIS2 Article 21’s requirement that training be “regular” rather than annual.

Spaced repetition pairs naturally with microlearning (the format that fits in the interval) and with nudges (the contextual trigger that re-activates the concept at the moment of risk).