How to Measure the Effectiveness of your Cyber Security Training
Wed, 09 Jun 2021 10:10
After spending time and effort deciding upon the right cyber-security training solutions provider, agreeing and implementing said training, and then overseeing the roll-out with employees, you'd be surprised how often businesses drop the ball when it comes to measuring the fruits of their labour.
If you don't measure the results, though, how can you know for sure the training is working? How do you know you're doing enough to protect your company?
The good news is, you're reading this article! So, here are some key principles and useful tools to bear in mind when measuring the effectiveness of your cyber-security training:
Identify skills gaps
Skills gaps are deficiencies in performance caused by lack of skills for, or knowledge about, the workplace (for instance, keeping business information secure).
In the short term, the goal of training is to bridge these gaps through a series of learning interventions; the desired outcome here being the mitigation of their effect upon business performance and metrics.
In the long term, however, your training solution should seek to identify and rectify the root causes of such gaps and help to improve processes around these areas. In other words: to remove the gap from occurring in the first place.
To achieve both these long and short term goals (and to measure their progress over time) you'll need access to information, and that's why it's important to ...
Test your employees
Did you know that the latest cyber-attack trend data for the UK shows the majority of data breaches began with a phishing attack?
Every day 156 million phishing emails are sent and 16 million of these get through security filters into inboxes.
What's more, 8 million phishing emails are opened and 800,000 malicious links in those emails are clicked.
80,000 recipients fall for phishing scams every. Single. Day.
One surefire way to test if your cyber-security awareness training is hitting the mark is to test it – and not only by using knowledge-based quizzes and surveys. Rather, software such as phishing simulators can be used to conduct fake phishing attacks within your company – across a range of different industries and targeting specific audiences (e.g. aimed a C-suite, aimed at finance, fake social media accounts, and so on).
By integrating tools like phishing simulators into a Learning Management System (such as the one your eLearning is hosted on) it's easy to see campaign reports (open rates, click rates, deletion figures, etc..) and diagnose which employees require further training and reinforcement activities straight away.
Up your reporting game
xAPI (or Experience API) is a file format for storing and retrieving all the data from your learning experience in the form a data-based 'statements'. These are then stored inside a Learning Record Store (LRS) for each employee.
Using xAPI, then, it's easy to collect and anaylse data from a whole range of learning experiences (even those carried-out outside a browser; mobile apps and so forth) and - when it comes to learning analytics - this is great news! It means we have the ability to track employee progress over time, monitor performance pre- and post-assessment, and measure engagement across entire programs of learning.
These insights build a real picture about the effectiveness of your chosen training solution and, when used alongside an intelligent learning platform, can be used to create targeted learning journeys designed to fill any gaps in knowledge and increase the training's potency.
Check your culture
Admittedly, measuring a compliance culture seems rather difficult, but that's not to say it's impossible! Businesses might use anonymous surveys, for example, to measure attitudes, behaviors, and employee impressions – these answers can be very useful when it comes to giving an idea of why people continue to take risky actions (e.g. using overly-simple passwords or leaving screens unlocked) despite having had training against this.
Measuring employee impressions in this manner is useful information to have, particularly before you embark on a new cyber-security training program, as it can be used to measure behavioural change and attitudes along the way.
Insights over time, such as how employees react when observing and/or reporting cyber-security incidents, how they view the 'tone from the top' (i.e. management commitment) when it comes to cyber-security measures, as well as whether they feel compliance is communicated effectively and how engaging their training is, can prove invaluable when it comes to the nitty gritty of your training's efficacy.
After all, qualitative insights from surveys can help you change behaviours and reduce risks – but it's important to note that finding an overall quantitative cultural metric is equally important. It's only through quantitative metrics that behavioural improvements can really be measured and sought.