getty
An organization’s security training program is their first line of defense when it comes to fending off a cyber-attack. In the 2021, Data Breach Investigations Report from Verizon, 85% of breaches involved the human element. Furthermore, there was an increase of 11% of breaches including phishing campaigns. It’s been talked about time and again that people are the weakest link in the security chain, hence why companies rely heavily on security training. These training engagements showcase to employees the dangers, risks, and consequences of accidentally clicking an unknown link or divulging sensitive information over email. I’ve always said, security is a journey and not a destination, and when it comes to security awareness training, this is the mindset organizations must have moving forward.
Security is a Journey
To measure the effectiveness of security training, we must first understand what makes it effective. The saying “security is journey and not a destination” tells us that in a rapidly evolving industry like cybersecurity, we can never stop learning. Training needs to be a continuous process rather than once a year or during an employee’s onboarding. Security training needs to be ongoing and readily available to employees while also providing good quality and up to date content.
Key Performance Indicators
Within a training program also live certain Key Performance Indicators. These KPIs pay close attention to how the training is performing among your people. Some KPIs are as simple as a pass/fail ratio whereas others are much more data driven, like monitoring behavioral change.
Challenges with Understanding Metrics
The challenge with KPIs is understanding what the data is telling us. KPIs can either be too strict or offer too much slack. Also, they rely heavily on data and don’t account for the inherent differences among individuals. For example, a training program that takes 30 minutes in France may only take 15 minutes in Australia. It’s important to note that these differences are not negative indicators of the training program but rather a reflection on how different the world is on a global scale. Training that may work for business-oriented people doesn’t always work with technical people.
Training Methodologies
There are many different types of employee training methods such as eLearning, simulation-based, instructor-based, or coaching and online quizzes. During cybersecurity awareness month, VigiTrust will be using a security awareness “game” called VigiQuiz that will be given to employees and others to teach them some cybersecurity best practices in a fun and engaging way. Out of all these training types, they all offer something the other one doesn’t so it’s important to have a good blend of various training types to offer your employees.
Role-Based Training
Role-based training prepares employees for real life situations and indicates the current skill level of an employee. The results from role-based training in consideration with the KPIs from an organization’s security awareness program is a valuable tool in measuring the effectiveness of an organization’s security training program.
Conclusion
Once the organization reaches a level where they feel enough employees are compliant and competent in the various fields of training, they must provide continuous and ongoing training to these employees. Remember, security is journey and not a destination. Organizations must continuously aim to provide their employees with the tools to keep themselves up to date on the latest news, technologies, and threats that are fundamental in making them the best employee they can be.
