When a measurement is made about something it gives us data. Whether that data is about the length of a piece of string or that of an employee’s behaviour, when confronted with a phishing email, has changed, this data gives us important insight into a task or project.
The success, or not, of a Security Awareness Training program (SAT) can be measured in more ways than one, and in doing so, provides important insights into the effectiveness of the training. But how to optimise these measurements requires a cross-functional team with vision.
Here are a few ways in which to capture the measure by measure of your security awareness program.
Why Bother Measuring a Security Awareness Training Program’s Effectiveness?
A recent Gartner inc., paper “Take 3 Steps to Prove That Your Security Awareness Program Is Actually Working” sets out the why’s and how’s when measuring an SAT program. The paper, written for security and risk managers, identified three key reasons why measurement of Security Awareness Training is important:
- If you can’t show proof that cyber risk is reduced through the program, you won’t get C-level buy-in to continue the Security Awareness Training.
- Security Awareness Training is often dropped into an organisation without having a clear vision of what it is trying to achieve. This results in a program that does not achieve the behavioural changes needed to reduce cyber risk.
- Measuring the success of a Security Awareness Training cannot be based on single variables. These programs contain many elements and these need to be captured to show the true impact of an SAT program.
One of the main points of the paper is that a clear vision must set the baseline of a security awareness program. Without this clear vision of what it is you want to achieve ,measurements will be meaningless. Put another way, measurements are more effective if they have a starting point as a comparison. This vision must, however, be directly linked to business outcomes. One way to establish this baseline is by using a cross-functional approach, that is, bringing teams together across organisational boundaries to input into what is important in mitigating cyber risk.
This aligns cyber security vision with business goals; this approach is an ongoing exercise and best practise as cyber attacks cause continuous havoc across all sectors of industry. Business and operational decisions are now intrinsically intertwined with security. The Covid-19 pandemic and work from home mandates demonstrated this point, with the increased security risk of home working; home workers providing more opportunities for cybercriminals to attack a company network via its employees.
But a vision needs demonstrable measures to show it is meeting its remit. Showing a C-level or board how well a program is progressing requires hard facts. This is where measurement comes in.
Three Ways to Measure Security Awareness Training Program Success
The Gartner paper mentions three key things that prove your security awareness program is working. These three areas can be broken down into:
Generate a culture of security-based vision statement: what is it that your organisation needs from the security awareness program? What security behaviours do you want to see come out of employee education on security matters?
Capture the metrics of security behaviour: create security awareness metrics that demonstrate meaningful and positive security behaviour change. These metrics can take the form of traditional security awareness metrics from surveys and phishing simulations, as examples.
Demonstrate risk exposure reduction: show the Cx team trackable changes in security behaviour related to material results in terms of reduced exposure to cyber-risk.
Capturing Metrics and Behavioural Changes
The security vision is the pivot upon which the capture of metrics and behavioural evidence turns. This vision then forms the evidence needed to demonstrate to the Cx team that Security Awareness Training works. There are many ways to measure security metrics, and MetaCompliance has discussed Security Awareness Training measurements in a previous blog post.
Measurement provides quantifiable data that provides the basis for a Return on Investment (ROI) evaluation. But a simple ROI equation does not capture the positive, ongoing, impact of a well-developed security awareness program. The core security vision of an organisation must be mapped to validate end results that see the overall cyber-risk of an organisation reduced. This vision of a secure organisation must map to security-first thinking and associated behavioural change.
To help in your measurement exercise, the Gartner paper talks about “Signature behaviours”, which it describes as “Signature behaviors are those that clearly reflect positive intent and support by end-users for realising the security awareness vision.”
Gartner maps some examples of desired security practices against signature security behaviours:
Practise: All end users use strong passwords
Behaviour: We always use passphrases to construct our passwords used for accessing our work accounts
Practise: Check links before you click them
Behaviour: We are alert to, and report suspicious emails to the IT service desk
As part of your security vision, work with your cross-functional team to develop a set of signature behaviours that can then be used to evidence Security Awareness Training program success.
The Proof of the Pudding Through Better Security
Ultimately, a company wants to see that its investment in a security awareness program is reflected in decreased chances that its data will be breached. By evaluating signature behaviours against threat types, an organisation can enrich a simple ROI equation with added value.
The proof of security training is in the pudding. Over time, a well-planned and effective Security Awareness Training program will show a reduction in cyber attacks. But a strong vision is where this all begins.