Measure Results Now!

“What doesn’t get measured, doesn’t get managed.”

 – Peter F. Drucker, Leader in Management Education

According to IBM’s 2022 Cost of a Data Breach Report, only 17% of organizations surveyed experienced a data breach for the very first time. This number might sound somewhat good but the flip side of that statistic reveals that a significant majority—83% of organizations—face repeated security breaches.

Security awareness training can reduce and eliminate those events. If breaches recur, how do you know it’s effective?

While there’s something to say for the fact that most organizations practice security awareness training, many still lack visibility into its impact on employee behavior.

Establishing meaningful security awareness metrics and collecting data to back them up helps measure your security readiness. Identifying your security strengths and weaknesses is crucial for improving security conduct throughout your organization.

The challenge is that measurement is tricky, especially when it involves people. Gathering security awareness data requires some tracking of daily activities. However, the need for measurement is urgent. Verizon’s 2022 Data Breach Investigations Report indicated that a human element was involved in 82% of security breaches.

To address this issue, security leaders must ensure that measurement is integral to security awareness training. Organizations need leadership in IT security and a strategy to measure and report on employees’ behavioral progress.

Collecting metrics gives you baseline insight into the effectiveness of your security awareness program. Collecting the right metrics, consistently and regularly, helps you target areas for continuous security improvement.

Choosing Useful Metrics

There are various ways to document and quantify changes to security behavior. Answering questions about your organization’s security goals and priorities is the first step for identifying useful metrics.

Example questions include:

  • Do you want to curtail specific behaviors or address a specific kind of breach?
  • Do you want to gather data from individual employees or measure security awareness at a departmental or organization-wide level?
  • If you already gather metrics, is your objective to dig deeper to obtain more granular data?

Think about how you want to use the data. Is the primary goal to reduce security incidents and breaches? Or do you need data to demonstrate the effectiveness of security awareness procedures and training to company leadership?

Choosing the right security awareness metrics depends on the maturity of your information security program and available resources. Do you have a team to gather data, or will employees self-report their progress? How will you record, analyze, and share data? Data from personal interviews is harder to share than numerical data, for instance. Focus on metrics that you can compare over time.

Critical Metrics to Get You Started

Don’t let the task of setting meaningful metrics deter you from setting a measurement plan in motion. Measuring and demonstrating progress is crucial to a successful security awareness training program. Since human involvement remains the key factor in data breaches, start there. Develop performance indicators and deeper insights on the following three critical areas.

1.      Phishing and Pretexting Attacks

Phishing is still the most significant point of entry for cyber criminals into your organization. IBM’s 2022 report shows it is among the costliest. Another common attack is Pretexting or Business Email Compromises (BECs), in which cyber attackers trick targets into sharing company credentials. All it takes is one unfortunate click. However, security awareness metrics can help uncover these high-risk areas.

Gather security training data on email click rates, especially high repeat click rates. Collect information from different departments about reported phishing emails, BECs, and outcomes. Having a clear picture of how your employees respond to phishing and pretexting threats through email empowers your organization to fine-tune your security approach.

Extrapolate this measurement approach to security threat trends that are most common in your environment—from ransomware and worms to viruses and spyware. The ability of your employees to recognize attacks before they happen speaks to your organization’s cyber security awareness. Increasing report rates and reduced clicks shows you’re making progress.

2.      Password Security

Passwords remain the primary authentication method for many business systems and processes. Despite best efforts, cyber attackers remain skilled at compromising that protective layer. Verizon’s 2022 report on cyber breaches attributes an astounding 80% of web application attacks to stolen credentials.

Security awareness metrics can help employees adopt best practices for password protection. Gathering up to date intelligence on strong and effective password creation and maintenance is critical.

Run tests to gather data on existing password strength and security. Keep tabs on how frequently your employees change their passwords. When your security team requests a password change, how many employees act on those requests? Drill down into multi-factor authentication and get the numbers. How many employees employ it and what methods do they prefer?

Teaching employees to avoid guessable passwords and avoid sharing them is part of security awareness training. Quantifying positive password behaviors can help demonstrate progress or deficits in this area. Surveys and questionnaires can serve as data metrics around the spread of security awareness is throughout the organization.

3.      Desk and Device Security

It’s crucial to keep track of your team’s adherence to the Clean Desk Principle. What percentage of employees added password protection to their computer screens? Do employees always shred documents before putting them in the trash? Organizations improve overall information security when they assign responsibility for these duties and track their performance.

That responsibility and record-keeping extends to networked devices. Collect data on computers, laptops, tablets, software applications, and organization-owned and personal mobile devices. What is the volume of each type? What is their update status? Are they patched regularly? Was there any device loss or theft? How often, and where did it occur?

The rise of hybrid and remote work has changed our conception of the clean desk. According to IBM’s 2022 Report, security breaches cost organizations on average US$1 million more when remote work was a factor.

When employees work in their own homes, organizations need different, deeper insights into device security. Track security awareness around employee storage of sensitive information and ensure it applies to remote work scenarios.

Focus on the Big Picture

With data measurement and metrics, people sometimes get caught in the weeds. Security awareness data is as fascinating as it’s important. However, as you collect your data, keep your biggest organizational goals in mind.

When you start setting security awareness metrics, review your organization’s mission statement. Look at long-term and short-term targets and assess how your security awareness program helps achieve them. Your metrics should narrow the gap between security challenges and risks and organizational goals. Over time, those measurements will ideally demonstrate progress toward stated outcomes.

It’s equally important to know your audience. You may need to apply different measurement criteria to new hires and seasoned employees. Your employees are your most valuable partners in security awareness. Find out what works for them and seek their input on useful metrics.

Cyber attacks are getting increasingly sophisticated. You need to be equally innovative to stay ahead of cyber attackers. Raw performance data and metrics provide ongoing visibility into your organization’s security culture. The sooner you start measuring and analyzing employee behaviors, the sooner you will strengthen your organization’s security.



Cyber Security Hub: Access Exclusive Cyber Security Content

Visit our Cyber Security Hub to access free and shareable content on building a strong foundation for a cyber aware culture.