CEB Blogs


Information Risk

4 Steps to Assess Information Security Training Programs

Most information security teams worry about how good their training efforts are, and how they should measure it; it doesn't need to be over complicated

Mans hand with a clipboardThe seven risks that most concern chief information security officers at the world’s large companies all come from the potential for employees, contractors, or third-party vendors to act maliciously or be duped.

The job of CISOs and their teams, therefore, in stopping a company’s information get into the wrong hands is to understand and shape the behavior of a wide range of people. Looking at the large set of data collected by CEB’s annual Global Labor Market Survey (this video has more on the most recent results), and that asks questions about a wide range of employee behavior, reveals two important pieces of information.

First, unhappy employees are less secure; this may seem self-evident but it’s still informative to have it backed up by data. Employees looking to leave their employer are less motivated in their day-to-day work and one-and-a-half times more likely to behave in a risky manner than their more settled colleagues.

Second, and maybe less self-evident, employees who use their own devices (laptop, tablet, smart phone etc) at work are less risky than information security teams might think. Security professionals often feel that, because employees using their own devices tend to be more technology-savvy, they are more likely to flaunt security policies, thinking they know more about security than they actually do. While this may be true in some cases, the data show that employees who used BYOD (bring your own device) more frequently than their peers do not exhibit more insecure behavior.

So What?

The two observations point to two conclusions for CISOs and their teams. First, it underlines the importance of prioiritizing employee awareness efforts to target the groups of employees least likely to behave securely, such as the disengaged.

And second, it shows the importance of reexamining any “gut-feelings” about how well an information security program is being received. Indeed, one of the most common problems we hear from CEB’s network of information security professionals is that they do not know whether their awareness efforts are working or not.

Beyond things like tracking how often people click links in phishing emails, there is rarely any sign of whether, say, a training program actually taught people anything about information security and, crucially, whether it led them to act differently. Without a clear understanding of what works and what does not, CISOs struggle to direct their next investments.

Four Steps to Assess How Good Your Training Is

Despite it being hard to measure how effective an awareness campaign was, it’s far better to do something than just say, “we haven’t got the time or resources to do it.”

Information security teams don’t need to design a comprehensive process to measure how good their education and awareness efforts are. A simple approach can provide a lot of useful information. The four steps below can be used to measure future awareness efforts.

These steps focus on measuring training program but can be applied to other tactics like communication campaigns or running awareness days.

  1. Design a pre- and post-training survey: These surveys should be almost identical and should go hand-in-hand.

    The pre-training survey assesses employees’ baseline knowledge and should be compared against post-training survey results. Remember to keep the survey short and include only questions related to your goals for the training, i.e., what you would like employees to gain from it.

  2. Survey a random sample of employees: Select a representative sample of the employee population to take the “pre”- and “post-” surveys.

    If done correctly, administering the surveys to a random sample saves you time and money but still gives you an accurate capture of the impact of your training.

  3. Use the results to inform your next awareness effort: The change in employees’ scores from pre- to post-training measures how good the awareness training was.

    Dig into the results to understand what employees’ gained from the training and use this to adapt subsequent rounds.

  4. Broadcast results to employees: Consider sharing the survey results with employees, either in the aggregate or as individual results. Behavioral research shows that timely and personally relevant feedback helps produce behavioral change.


More On…


Leave a Reply



Recommended For You

Information Security: Do You Care Who’s Attacking Your Firm?

Many information security teams focus only on how an attack is conducted, and assume that...