Building Security Culture Across 24/48 and 24/96 Shifts
I spent a decade working 24-hour shifts in EMS. I know what happens at hour 20. The cognitive reserve is gone. The decisions that seemed obvious at 0800 are a blur at 0200. And if the security training you delivered was a slide deck six months ago, it is not just forgotten. It was never really there.
This is the problem with building a security culture in public safety. The standard corporate playbook assumes a Monday-through-Friday workforce that sits in the same building and attends the same meetings. Fire and EMS do not work that way. The 24/48 and 24/96 shift rotations create a communication environment where information degrades as it passes between crews. Security awareness does not survive that gap without deliberate design.
Why Annual Computer-Based Training Fails in Fire and EMS
The annual CBT is the default approach for most agencies, and it is the wrong one. Someone buys a training module, assigns it to all personnel, and checks the compliance box. The problem is that CBT is designed for a workforce that processes information in a classroom setting and applies it the next day. In public safety, the next day might be three days from now, and the context will be completely different.
A medic who clicks through a 45-minute module on phishing awareness in a station dayroom is not learning. They are completing a requirement. The knowledge does not transfer to the moment when they are exhausted, the CAD is pinging, and an email that looks like it came from the medical director lands in their inbox. The training and the operational context are disconnected.
The cadence is also wrong. Annual training assumes the information will stick for twelve months. In a high-turnover environment with rotating shifts, it does not. New hires miss the cycle. Veterans forget the content. By the time the next module rolls around, the agency has a different workforce than the one that was trained.
The Station Silo Problem and Contradictory Messaging
Public safety agencies operate across multiple stations. Each station develops its own culture, shaped by the captain or lead medic on that shift. If Captain A treats security as a priority, that station will have better habits. If Captain B views security as IT interference, that station will develop workarounds.
The result is contradictory messaging when the official policy says one thing and the influential veteran on the shift says another. In a 24/48 rotation, personnel spend three days away from the station and come back to a different set of expectations. The inconsistency erodes trust in the policy itself. When the message changes depending on who is working, the message stops meaning anything.
This is a leadership alignment problem, not a training one, and it is the harder one to solve. The captains need to be on the same page about what is non-negotiable and what is flexible. If they are not, the security culture will be defined by the lowest common denominator, and you will end up with the same kind of contradictory messaging that undermines sanction policies.
Training Cadence That Survives Shift Rotation
The solution is not more training hours. It is better timing and smaller doses. A 5-minute security brief at shift change will outperform a 2-hour annual seminar every time, because it happens in the operational context and at a frequency that matches the rotation.
The format of that delivery matters more than the content in many cases. A security minute should cover one specific threat that is relevant right now, like a phishing campaign targeting ePCR credentials or a reminder about terminal lockouts after a near-miss at another station. A quick walkthrough of the end-of-shift logout checklist works well. The content should be delivered on the hardware the crews actually use, not in a separate classroom.
The cadence should match the shift cycle. If the rotation is 24/48, the training reinforcement should hit every rotation, not every quarter. The goal is to keep the security baseline visible at the same frequency that the operational environment changes.
Supervisor-Led Reinforcement
The person who builds security culture is not the IT director or the CIO. It is the station captain. The captain is the one who walks through the bay in the morning, checks that terminals are locked, and notices when someone leaves a tablet logged in. If the captain treats security as part of the job, the crew will too. If the captain ignores it, no amount of policy documents will fix that.
This means security awareness has to be a leadership expectation for supervisors. It should be part of how they are evaluated. A captain who reinforces good security habits during station walkthroughs is doing more for the agency's security posture than any annual training module.
One practical approach is to encourage supervisors to catch and acknowledge good security behavior. A medic who reports a suspicious email or flags a potential vulnerability should be recognized, not ignored. Positive reinforcement at the shift level creates social incentives that policy alone cannot generate.
Integrating Security Into Existing Workflows
The most effective way to improve security culture is to stop treating security as a separate activity. If security checks are integrated into the operational workflow, they become habits instead of burdens.
The end-of-shift checkout is a good example. Most crews already have a process for cleaning the rig, restocking supplies, and completing paperwork. Adding a digital scrub step to that checklist, logging out of clinical applications and clearing cache on shared tablets, turns security into a routine instead of an extra task. This is the same principle that applies to auditing ePCR access logs as a regular practice.
The same principle applies to terminal lockouts. If the technical control is already in place, the training should focus on why it matters and what to do when it fails. The secure path should be the path of least resistance. If it is not, the design is wrong.
> Security culture in public safety is not built in a training room. It is built in the bay, at the terminal, during the 20th hour of a 24-hour shift, by the captain who walks through and notices.
Frequently Asked Questions
Why does annual computer-based training fail in EMS and fire environments?
CBT lacks operational context and is delivered at a cadence that does not match shift rotations. In high-stress, high-fatigue environments, static training is quickly forgotten. Security must be reinforced through continuous, short, supervisor-led interactions that happen in the actual work environment.
How do we handle contradictory security messaging between different station captains?
Security culture is set by the lowest common denominator of leadership. The agency must align its captains on a single set of non-negotiable security standards and hold leadership accountable for reinforcing those standards consistently. If the message changes between shifts, the policy loses credibility.
How can we improve security without adding to the cognitive load of fatigued crews?
The goal is to reduce friction, not add to it. Implement technical controls that automate security, like auto-lock timers, and integrate security checks into existing operational SOPs, like end-of-shift checklists. The secure path should be the path of least resistance.
What is the right training cadence for a 24/48 shift rotation?
Training reinforcement should hit every shift cycle, not every quarter. A 5-minute security brief at shift change, focused on one specific and relevant threat, will outperform an annual seminar. The frequency should match the operational rhythm.
---
The annual CBT is not going away. Compliance requirements will still demand it. But if you want a security culture that actually survives the shift rotation, stop treating the slide deck as the solution. Build the training into the workflow, align the supervisors, and keep the message consistent. Deliver it at the frequency that matches how your people actually work.
-- Steven
Need help with your agency’s cybersecurity? Get in touch