Is your cyber security training and awareness programme working? 

You’ve identified your top human cyber risks (the things people do, or don’t do which could create a security issue). Tick. 

You understand a bit about what staff find easy or hard about keeping information secure. Tick. 

You’ve put a programme of activities in place to engage and motivate people to do the right thing. Tick. 

If you’ve ticked one or more boxes, be very proud! You’ve made great inroads into building a good security culture by taking the time to help your staff make good decisions when working online. 

Building a good security culture, incorporating meaningful training and awareness, takes time and money. So how do you know your investment is paying off?  

Ask yourself — 

• Have our human cyber risks reduced?  

• Are staff making changes to their behaviours which means our information is more secure?  

• Can we actually show the success of our cyber security training and awareness efforts?  

Read on for some tips on how to answer ‘yes’ to those questions. 

How to measure the success of your cyber security training and awareness programme 

Before you embark on raising awareness and changing security behaviours, you need to have a good understanding of what risks you are managing, what behaviours you want changed and why.  

To do this you need to: 

1) Decide the top human cyber risks you want to focus on 

This is really the guts of your programme! What do you want to help people do differently and why. If they don’t change their behaviours, what could happen. 

Identify your own top human risks to know what to cover in your programme and focus on the things that will make the biggest difference first.  

Try a simple risk exercise with a group of stakeholders from across the business. Discuss and plot likelihood and impact of a handful of human risks (phishing email, email attachments, not knowing about security policies and processes, not locking devices, unauthorised access to buildings etc). Think about these in context of working at home and at work.  

For each risk, try to find one or two practical indicators you can measure before and after your awareness campaigns.  

For example, the number of stolen/lost devices and calls to service desk/reports.  

Make sure you know where you can find these measures eg, from your Service Desk or Security Team, both before and after the campaign. 

2) Know your audience 

Using the outcomes of the risk exercise in step 1, and knowing what you’re going to measure in terms of success (your “practical indicators”) after your campaign, identify your target audience. 

Who are you targeting with this training and what do they prioritise in their day? Do different teams have different risk profiles for example,  finance team vs catering team? How can you ensure the effectiveness of your security campaign for different audience groups? 

3) Roll out your awareness campaign 

Make your communications short and sweet! Include a few words about why you’re asking staff to do something and be very clear on what they need to do. Be sure to tell them where to get help. Less is often more as people suffer badly from “comms fatigue”, especially in large organisations.  

4) Measure the effectiveness of your campaign. 

Go to your source/s of the practical indicators you identified in step 1 for the post-campaign numbers/facts etc.  Compare those to the indicators you collected before the training or awareness campaign rolled out. 

What do the measures tell you? Have behaviours changed as a result? 

This may seem a very simplistic approach to measuring effectiveness, but at the end of the day all you need to do is understand the difference your awareness efforts have made.​ 

Putting this into practice – case study 

What are your human cyber risks? 

You know some of your staff use and reuse weak passwords for both their home and work accounts, as they have had their credentials stolen and shown up for sale on hacker forums.  

What do you want people to do differently? 

You want staff to use stronger, complex, and unique passwords for each of their accounts but that becomes difficult to remember, so you are rolling out LastPass to make password management safer and easier for staff. 

Identify the practical indicators you can measure before and after your awareness campaign, for example - 

How many staff currently have a password manager saved to their phone or work device? Which ones do they use? How frequently are they accessed? Can you be sure they are set up and being used correctly? 

Know your audience 

Some of your staff are digital natives and need very little assistance with downloading, setting up and using apps, while other staff may need more hands-on help to get going and reset all their passwords. Some of your staff may only need a phone app while others might need a browser version. Target your training and awareness efforts to the audience groups who need to know. 

Measure the change 

10% of staff have completed the task – there is plenty of room for improvement, and feedback will be invaluable to improve results. Revisit the why of your training to ensure they understand why they are being asked to give up their time for better security. Make it relevant to their lives: do they know a password manager can be used for their personal or family accounts too, improving their family’s security?  

50% of staff have done it - nice work. Think about an incentive to push the number higher. Get some early adopters to spread the word on your Yammer (organic marketing).  

90% - Wow! Celebrate this win with staff in some way, and try encourage the remaining few to join in.  

Is measuring the effectiveness of your training and awareness worth all this effort? 

Yes it is! Measures are a powerful way to demonstrate effectiveness and help justify the need for ongoing investment in reducing human cyber risk.

Building a great security culture takes time and work but will definitely have a positive impact on the overall security of your organisation.