Any training programme is only as good as the change, improvement or advancement it delivers. As a rule, staff training is designed to better their performance and/or productivity, which will ultimately manifest itself in a company’s bottom line.
When it come to security awareness training, the goal of training is – indirectly – the same. Non-compliance with data security regulations as well as subsequent data breaches can be very costly and damage a company’s name and reputation. However, it is often difficult, if not impossible, to correlate the damage to a specific training shortfall. Nevertheless, basic measuring and monitoring of training results can help a company decide whether the chosen training programme is adequate or should perhaps be modified.
What can you really measure?
Knowledge is the starting point of security awareness training. Fortunately, it is fairly easy to measure to what extent participants have acquired new knowledge. Our training modules, for example, always include a brief quiz that participants have to pass to successfully complete the module.
Similarly, simulated phishing campaigns in combination with our Phishing Reporter, allow a company to measure how often users detect and correctly identify a phishing attack, which departments perform better than others, etc.
Other factors that can be objectively measured are the number of non-compliance incidents. All the above will help a company assess the efficiency of their chosen training programme.
Finally, our approach to improving data security within any organisation includes the calculation of an Exposure Index for each individual. This index will alert the management to the level of risk that each user could potentially pose, and how to minimise it. Our Exposure Index is based on a formula that takes three factors into account: the user’s performance in training courses and phishing simulations, the user’s managerial level (the higher the level, the greater the damage in case of a breach), and a deep search to determine any pre-existing exposure or abuse of that user’s data.
Measuring is only one side of the coin. Above measurements only make sense if they are monitored to identify trends, which in turn will determine future training needs, and help in the allocation of training resources, to ensure that they are invested where – and when – they are most needed.
Phishing simulation campaigns offer us a perfect example. Monitoring a team’s reports of suspicious emails will reveal not only which individuals or departments have reached a satisfactory level of awareness, but will also show the distribution of reports. For example, a sudden drop in reporting is a clear indication that security awareness has waned, and the need to boost it is imperative.
In brief, both measuring and monitoring serve a single purpose. They ensure that a company’s management is consistently aware of the growing risk of a data breach or abuse and is allocating adequate human and material resources into their prevention.