Hackers target people, rather than computers to create security breaches through unsafe information security behaviour, such as creating weak passwords, sharing user credentials with colleagues, or downloading suspicious software from the Internet. Because employees play the most important role in safeguarding personal data and the information systems, many organisations choose to implement awareness programs to protect their data and be compliant with the GDPR.
But how effective is awareness training anyway? In this blog post, we will give you some concrete tips on how to measure the success of awareness training in your organisation. Finally, we will show you some of our own results.
Does awareness training work? The science says yes!
In one study done with 2900 white-collar employees, they implemented information awareness training, which included courses on password use. After randomly selecting 190 employees to be surveyed, they found that 114 of them complied with both the password policies and the other security policies/procedures.
Additionally, they ran a detailed statistical analysis on users’ password security levels and strengths. The results of the technical password audits show that the objectives for stronger security were satisfied and even exceeded the expectations of the auditors. Their results show that the use of weak passwords use was 35.6% before the project was started and after one year, this ratio dropped to 6.9%, which highly exceeded the organisation’s expectations and objectives. While it may not be possible for your organisation to test the password strengths of all employees, there are many other ways to measure the effect of awareness training.
Furthermore, measuring password strength is only one of many ways to tell if the awareness training was effective. After all, there are many facets of information security, such as employee satisfaction with the awareness training and their communication about security breaches, just to name a few.
The effectiveness of e-learning
In the past decade or so, the availability of e-learning courses has greatly expanded. Nowadays, you can do anything from a full university degree to learning how to play the guitar. It is advantageous because many people can learn the material whenever and wherever it suits them. However, it isn’t always the most effective way of teaching for two main reasons:
Some skills require in-person training with hands-on experience off the computer and
unfortunately, many e-learning providers take in-person training and simply digitise it to e-learning, which does not suit the medium and is therefore ineffective.
When learning to play the guitar, anyone can learn the theory and some basic skills through e-learning. But as the learner progresses, it will certainly be advantageous for an instructor to be beside them to give more tailored advice based on their strengths and weaknesses.
It is important to emphasise that awareness is not the same as education. Awareness is simply attentiveness towards a given issue, while education implies that you become fully competent to deal with a wide array of situations. The scope of awareness training is mainly to help maintain the right focus that will help prevent mistakes. Competencies in IT is a larger scope of which awareness training is only a part of.
You can read more about how e-learning compares with traditional learning when it comes to awareness training here.
How to measure the effect of awareness training
When starting any initiative, it is useful to measure the effect it has on your organisation. Otherwise, how would you know if your efforts have been successful? In this section, we will go through a few ways you can measure the effect of awareness training.
However, it is important to note that measuring the effect of awareness training depends on the goals and context your organisation has. Here are a few to get you brainstorming.
Is the goal to be GDPR compliant?
Is the goal to have transparency and communication when it comes to security breaches?
Is the goal to change the employee's behaviour when working online?
Is the goal to make a cultural change for the team when they work with IT?
Is the goal to be less vulnerable to phishing attacks / hacking attempts / malware attacks?
How your organisation decides to measure the effect will also depend on parameters such as the size of your organisation, and maturity in IT. We recommend using the Plan-Do-Check-Act (PDCA) cycle to establish more effective information security.
Monitor learning activities
The first step to measuring the effect of awareness training is to look at the following metrics:
How many people participate in and complete the awareness training?
Do they complete the learning modules within a few days of receiving them, or do they put them off for a long time?
Do people lose interest in the awareness training over time?
On our security platform, you can easily get an overview of the awareness training in your organisation.
Employee feedback and satisfaction
With everybody buried in their everyday tasks, meetings, and deadlines, it can be easy to shy away from directly speaking to our team about awareness training. But even if directly asking for feedback might take the most effort, the insight you get will be worth it, and it doesn’t have to take a lot of effort.
Some questions you can ask them include:
Do they have time to incorporate the awareness training into their daily work life?
Do they have a stronger grasp on the cyber security concepts?
Do they feel like they have more confidence when being faced with new situations, e.g., when handling personal data?
Do they know who to contact if there is a security breach or a phishing attack?
One method of getting employee feedback is to send out a questionnaire. That way, you have the chance of getting the most responses. We have a template that you can copy here.
Recently, we asked for some feedback from the users of CyberPilot’s awareness training. 849 users* answered our survey, and here’s what they said.
We also recommend either talking to some staff over a quick coffee or having a quick call online to see what they think about the awareness training. You could learn something you didn’t know that you didn’t know.
Phishing is one of the biggest cyber security threats, especially because cyber criminals are getting smarter about targeting and fooling us. One way to measure your team’s preparedness against phishing is to test them with phishing simulations.
To set these up, we work with organisations to launch phishing campaigns. These will come in the form of e-mails and will often have an enticing message which encourages the employee to click on a link. Once they have opened the link, they will be required to ‘log in’ to gain access to the information. This is how cyber criminals get e-mail addresses and passwords, which means they will get access to the systems in the organisation. To measure the preparedness of your staff, you can look at the following results:
E-mail opened. This is normally harmless
Link clicked. In most phishing simulations, this would not do much harm. However, keep in mind that cyber criminals can always attach malware to e-mails
Credentials entered. Unfortunately, this means that organisation log in credentials would have been given to the cyber criminals
In this whitepaper, we give look at how organisations have fared against our phishing simulations. Spoiler: based on our studies, more than half of the users are less likely to enter their private data after getting awareness training.
That’s a big improvement!
Communication about security breaches
Not only is it important for your team to avoid threats such as phishing or malware, but they also need to communicate this to their colleagues and to the person responsible for IT. The GDPR emphasises the importance of documenting security breaches. In this documentation, you can specify how the breach was reported or found. This way, the DPO can document that the security breach was found by an employee. In our awareness training, we make it clear that communication is expected, because keeping the breach to oneself will do nobody any good.
For example, if you are the DPO and you know for a fact that there has been a data or security breach, but nobody has brought it to your attention, then you will need to bring this up in a constructive way. We find that initiating a dialogue in the organisation can get conversations going and therefore, cyber security will continuously be a priority.
Here are few things you can do and be aware of to measure the communication about security breaches in your organisation:
Keep a logbook of the informal conversations about security you have over chat or in person. It doesn’t have to take a lot of effort, but it will be a good way to remember the interactions so you can reflect.
Do people talk more about security in general?
Do people ask questions when they are in doubt?
We would also like to hear from you!
In this blog post, we have illustrated the ways you can measure the effectiveness of awareness training in your organisation. In doing so, you may have talked to your team about how they like our awareness training or ask them to do fill out a short survey (duplicate free template here). Was there something we missed? Is there something we can fix to improve their experience? Let us know at email@example.com!